arXiv: 1505.04511 vl [cs.CE] 18 May 2015 


Contribution to 
Temporal Fault Tree Analysis 
without Modularization and Transformation 

into the State Space 


Translation into English 
of the doctoral thesis of 
Dr. Ing. Simon J. Schilling 
at the 

Bergische Universitat Wuppertal. 

Date of examination: 

21. December 2009 

Reviewer/Supervisor: 
Univ.-Prof. Dr.-Ing. A. Meyna 
Univ.-Prof. Dr. rer.nat. P. C. Muller 


The german original can be downloaded from 
http://nbn-resolving.de/urn/resolver.pl?urn=urn:nbn:de:hbz:468-20100070 
Translated version of 19. Mai 2015. 

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 

See inside for more details. 




For 

Albert and Alexandra and Liselotte 




Preface to the Translation 


This translation into English was done in order to present my work to a broader audience. I 
aimed at staying as close to the german original as possible. This is especially relevant for the 
state of the art chapter which was not updated. Thus, newer work, as well as additional work 
by authors that were already referenced in the original, was not taken into account. 

The german original is an official doctoral (i.e. Ph.D.) thesis and was published and is hosted 
as PDF by the university itself. I chose to publish this translation - including the complete 
latex sources - under a CreativeCommons license and host it at github because I was looking 
for a simple, stable and open - as in open source - solution for the benefit of potential readers. 
As English is not my first language, I surely made some mistakes and would greatly appreciate 
any comments and suggestions for improvements. 

Munich, May 2015 Simon Schilling 


License 

“Contribution to Temporal Fault Tree Analysis without Modularization and Transformation into 
the State Space” by Simon J. Schilling is licensed under the Creative Commons Attribution- 
ShareAlike 4.0 International License. 

To view a copy of this license, visit http://creativecommons.Org/licenses/by-sa/4.0/. 

It is based on the work at http://nbn-resolving.de/urn/resolver.pl?urn=urn:nbn:de:hbz:468- 
20100070, which is the german original version of this thesis, and also by Simon J. Schilling. 
Note, that the german original is not published under a Creative Commons License. 


^creative 

^commons 



V 





Preface 


This work was accomplished during my time as scientihc member of the Central Functional 
Safety Team at BMW Group in Munich, Germany. 

I want to specihcally thank Univ.-Prof. Dr.-Ing. Arno Meyna and Dipl.-Ing. Christoph Jung. 

I thank Professor Meyna, for his support during my external promotion at the department of 
safety engineering, safety theory and traffic engineering at the Bergische Universitat Wuppertal. 

I thank Mr. Jung, who was head of the Central Functional Safety Team at BMW Group 
and convenor of ISO TC 22 SC 3 WG 16 and as such one of the main creative heads behind 
and responsible for ISO 26262, for making this work possible and I thank him for repeatedly 
trusting and supporting me throughout the last years. 

I thank Prof. Dr. rer. nat. P. C. Muller for writing the second assessment on this work and 
being part of the graduation comittee. I thank Prof. Dr.-Ing. Dipl.-Wirtsch.-Ing. B. H. Muller 
for chairing the graduation comittee. I thank Prof. Dr.-Ing. U. Barth for being part of the 
graduation comittee. 

I thank my collegues at BMW for their support and interest. 

I especially thank Dr.-Ing. Martin Woltereck, who brought me to the held of functional safety 
and to fault tree analysis. 


Munich, December 2009 


Simon Schilling 




Abstract 


Background 

Fault tree analysis (FTA) is a well established method for qualitative as well as probabilistic 
reliability and safety analysis. Fault trees are Boolean models and thus do not support modelling 
of dynamic effects like sequence dependencies between fault events. In order to overcome this 
limitations, dynamie fault tree methods were dehned previously. Most of these are based on 
complete or partial transformation of the fault tree model into state-space-models like Markov 
chains or Petri nets. These state-space-models generally suffer from exponential state explosion 
which imposes the necessity to dehne small “dynamic” modules which need to be independet 
from the rest of the model. Moreover, these state-space-models lack some of the FTA’s benehts 
like logical simplihcation of complex system functions or a real cutset analysis. Because of these 
dehciencies, a method is needed that allows consideration of sequence dependencies without 
transformations into state-space. This work describes such a new approach. 

Concept 

The new temporal fault tree analysis (TFTA) described in this work extends the Boolean FTA 
in order to take sequence dependencies into account. The TFTA is based on a new temporal 
logie which adds a eoneept of time to the Boolean logic and algebra. This allows modelling of 
temporal relationships between events using Boolean operators (AND “a”, OR “V”, NOT “-i”) 
and two new temporal operators (PAND “a” and SAND “A”). With a set of temporal logie 
rules, a given temporal term may be simplihed to its temporal disjunetive normal form (TDNF) 
which is similar to the Boolean DNF but includes event sequencies. In TDNF the top event’s 
temporal system function may be reduced to a list of minimal eutset sequenees (MOSS). These 
allow qualitative analyses similar to Boolean cutset analysis in normal FTA. Furthermore the 
TFTA may also be used for probabilistic analyses. Probabilities and rates of MOSS may be 
calculated without using state-space models. Again the procedure is similar to the normal FTA: 
top event failure probabilities and rates are derived from the failure probabilities and rates of 
the basic events including sequence dependencies. 

Realisation 

Starting with the Boolean FTA this work describes a new notation and new rules for a temporal 
logic. This temporal logic aims at transforming temporal terms into a TDNF, which then 
may be transformed further into a form where all terms are mutually exclusive. This form is 
well suited for quantihcation, too. Several examples are provided which explain each step in 
detail. Furthermore, there are two probabilistic approximation methods described, which allow 
a signihcant reduction of the calculatory effort. 

Results 

One signihcant aspect of the new TFTA described in this work is the possibility to take se¬ 
quence dependencies into account for qualitative and probabilistic analyses without state-space 
transformations. Among others, this allows for modelling of event sequencies at all levels within 
a fault tree, a real qualitative analysis similar to the FTA’s cutset analysis, and quantihcation 
of sequence dependencies within the same model. 


IX 



General Remark and Disclaimer 

All safety and reliability analyses in this work are presented solely for the purpose of demon¬ 
strating new analysis methods and are to be seen as simplifications and examples only. While 
they use, among others, technical functions and data similar to those of real systems, they must 
not be taken as evidence for the safety or reliability of existing or planned “real life” systems, 
functions, or components. 
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1 Introduction 


System safety is organized common sense. 

(Mueller) 


1.1 Motivation 

The fault tree analysis (FTA) is one of the most important methods of modelling and analyzing 
the realibility and safety of systems qualitatively as well as probabilistically. In the automative 
domain there is a trend towards more safety critical electronics [1], and thus functional safety is 
increasingly important [2]. Therefore the domain specific functional safety standard ISO 26262 
[3] is currently being derived from the more generic lEC 61508 [4]. 

In the automotive domain the FTA is used during development for several reasons: the 
allocation of safety requirements, as well as the confirmation and verification of requirements 
(e.g. failure rates as required by ISO 26262), and the comparison of safety architectures. 

Today, the FTA is generally considered as state of the art, e.g. [5-9]. Nevertheless certain 
problems remain, and there is an ongoing scientific interest for the FTA method. 

This thesis results from years of practise experience during my time at the functional safety 
department of a german automotive manufacturer. Contrary to expectations, the conventional - 
i.e. static - FTA is still having difficulties at providing realistic and not too conservative results 
when applied to modern electric/electronic (EE) systems. 

The operational behaviour and failures of such systems are highly dynamic in a sense that 
subsystems, functions and components (or their failures) depend on each other (structural 
dependencies) or depend on their relative timing (temporal dependencies) [10]. 

The fault tree methode on the other hand is limited to binary parameters as it is based on 
Boolean (failure-)logic. As a consequence, temporal dependencies and dependencies between 
failure rates of fault tree basic events must be omitted. Both limitations may usually be cir¬ 
cumvented, or at least mitigated, by taking specific assumtions and approximations into accout. 
But both problems can not be completly solved from within the conventional FTA. 

Furthermore, when using fault trees one has to keep in mind that conservative approximations 
(less modelling effort) usually conflict with the wish to avoid an unnecessarily expensive system 
design. Unprecise (approximated) fault tree models must not lead to overly complex and overly 
expensive technical solutions in the system under consideration. 

This problem and conflict is well known [11-13]. In general, there is always the possibility 
to analyze the system using other methods that can take dynamic effects into account, like e.g. 
state based methods. On the other hand there is a reason for the FTA’s success as one of the 
most widely used methods for analyzing the reliability and safety of complex systems [14]: in 
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comparison to other methods fault trees are easy to use, to read, to understand, and they are 
scalable. This is, because a system’s fault tree is similarly structured as the system architecture. 
Especially state based methods (e.g. markov diagrams) lack this feature. 

For years there have been several approaches to combine state based methods with the con¬ 
ventional FTA. These aim at combining the benefits of both methods while circumventing their 
disadvantages. Usually the user shall stay within the more intuitive fault tree, while modelling 
the system under consideration; then, the system’s dynamic effects and dependencies are hidden 
from the user by state based models that do the calculations in the background automatically. 

Such hybrid techniques are often called dynamic FTA] but they also have some specific disad¬ 
vantages. Mostly they use fault trees as a tool for easy visualization or relatively simple creation 
of models; but they do not also fully use the fault tree for the analysis and calculation, and thus 
they do without some of the FTA’s biggest benfits. 

These problems, as well as pure scientific curiosity, lead to intense research on a more efficient 
way to handle dynamic effects and dependencies from within fault trees. 

This thesis presents the results of this research. 

1.2 Structure of this Thesis 

This thesis deals with dynamic effects in safety and reliability analyses, and specifically with 
the modelling of failure sequences in fault trees. It is structured as follows. 

Chapter 2 presents the state of the art as relevant for this thesis; specific focus goes to the 
conventional Boolean FTA (chapter 2.2), as well as to dynamic extensions of the FTA (chapter 
2.3); the latter includes methods where the fault tree model is transformed into a state based 
model, as well as methods using temporal logics. 

This survey points to several shortcomings of the current state of the art; specifically these 
result from changing the modelling and analysis and calculation’s focus and are listed in chapter 
3 which also derives criteria and requirements for improvements. 

Chapter 4 describes the proposed new approach for including failure event sequences into the 
fault tree without changing to the state space. This new temporal fault tree analysis (TFTA) 
relies on an temporal extension to the conventional Boolean algebra and logic; this temporal logic 
has its own notation (chapter 4.1) and its own laws of transformation (chapter 4.2). Chapter 

4.3 then shows how to transform temporal terms into disjunct minimal failure event sequences. 
There is also an extended form of the TFTA which is presented in chapter 4.4; it allows for 
reduced calculatory effort when solving more complex temporal failure functions. 

Chapter 5 discusses the quantification of temporal terms, which in turn allows probabilistic 
evaluation of temporal fault trees. 

Chapter 6 compares the new TFTA approach with a) conventional Boolean FTA, b) the 
dynamic fault tree approach (DFT) as a typical dynamic extension of the Boolean FTA, and c) 
markov diagrams. 

Chapter 7 applies the TFTA to a more complex and complete example in order to demonstrate 
its practical use. A typical automotive ECU architecture is analyzed: beginning with its system 
analysis, followed by creation of a corresponding temporal fault tree, and finally the qualitativ 
as well as probabilistic fault tree transformation and analysis. 

This thesis closes with a summary and outlook in chapter 8. 



2 State of the Art: Static and Dynamic 
Fault Tree Analysis (FTA) 


Of course, it is safe, we certified it. 

(An FAA administrator) 


This chapter provides an overview over the state of the art as relevant for the TFTA method. 

• Chapter 2.1 describes the field of safety related fault tree analysis in general. 

• The conventional and solely static FTA is among the most common methods for systematic 
top down failure analysis of complex systems, see chapter 2.2. 

• As shown in chapter 2.3, today there are several extensions to the conventional FTA; they 
take dynamic failure behaviour into account and try to mitigate the FTA’s shortcomings 
in this field. Chapter 2.3.3 presents state based methods, and methods using temporal 
(failure) logics are discussed in chapter 2.3.4. 

• Chapter 2.4 summarizes the state of the art, which leads to the main problem description 
of this thesis in the following chapter 3. 


2.1 Background 

2.1.1 Reliability and Safety Analyses 

The reliability of a system or a component (in general: an entity) is defined as its “capability [... ] 
to meet expected performance criteria, given by its intended use, during a defined time period 
[15]. An entity that has failed can no longer provide its functionality; therefore, conventional 
reliability analysis reflects upon entities’ failure behaviour. 

Such an analysis usually covers the following steps [16]: it supports develoment of new systems 
by comparing different - existing or proposed - system designs among each other, as well 
as comparing them to objective requirements (i.e. reliability predietion, reliability eomparison, 
reliability pursuit, identifieation of weak spots). Additionally, it allows reliability verifieation of 
existing systems and concepts. The same methods and analytical approaches are usually used 
for all these purposes. 

In comparison to reliability analysis, the safety analysis is focused on only those system and 
component failures that lead to loss of “safety”, where safety is defined as “freedom from un¬ 
acceptable risks” [4]. From a safety perspective, an entity’s relevant reliability is therefore its 
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capability - or, in case of a more probabilistic view, its probability -- to not induce danger¬ 
ous effects (i.e. damage) during a defined time period and under given circumstances. Thus, 
reliability, from a safety perspective, takes failures consequences into account, too. 

Safety analyses therefore need to dehne which risks and which damages are relevant. In the 
context of conventional safety of technical systems these typically are the danger for life and 
limbs, or injuries and death of persons [4]. In general, the same analysis methods are used in 
other contexts, too; e.g. in the context of security of technical systems [17, 18]. This thesis only 
addresses the safety context^. 

2.1.2 Static and Dynamic Analyses 

2.1.2.1 Dynamic System Behaviour 

A system behaves dynamically if [19] the system response to a initial disturbance develops 
over time, while the system’s components interact among each other, as well as with their 
surrounding. In comparison, conventional fault tree analysis looks at unwanted events (i.e. 
system failures) as static, determined, and time invariant consequence to certain component 
failures [19]. 

In a world full of dynamic influences and interactions basically all technical systems also 
behave dynamically. Statistical methods and models for reliability and safety analysis of systems 
therefore necessarily only approximate a system’s real dynamic behaviour. 

This simplihcation is the main reason why handling of statistical analysis like FTA or reliability 
block diagrams (RBD) is relatively easy. Actually, in many cases it is the assumption of static 
behaviour that makes an analysis feasible at all. In practise the relevant question is which static 
approximations allow “good enough” representation of the actual dynamic failure behaviour. 

It has been demonstrated that conventional FTA is very well suited for logical and probabilis- 
tical analyses of systems, if their failure behaviour is - at least in the hrst approximation - free 
of time dependencies or dynamic interactions between its components. 

On the other hand, and since the very beginning of systematic failure behaviour analysis 
after the mid-20th century, researchers and users are complaining about static analysis being 
too imprecise [20]. Therefore, scientists are researching how static analysis methods like FTA 
may be extended by the most important dynamic effects - but without excessively increasing 
modelling and calculatory effort. 

2.1.2.2 Methods of Modelling 

In sight of [21] and [22] three types of dynamic realiability and safety analyses (ZSA) may be 
distinguished by their different modelling approaches. These are 

• state transition models, especially makov models, e.g. [23], 

• direct simulation of systems, especially using MoCaS, e.g. [13, 24], and 

• extensions of static event sequence analysis and the FTA in order to also represent dynamic 
effects. 

The following chapters cover those methods in more detail. 

^Author’s remark: in german there is only one term “Sicherheit” for both of the english “safety” and “security”; 
therefore, a further distinction and limitation of this thesis’ scope follows at this place, but is omitted in the 
english translation. 
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2.2 Static FTA — the Classical Approach 


The history of FTA can be traced to the mid-20th century and starts with the reliability analysis 
of the Minuteman missle [25, 26]. 

The conventional fault tree [6-8] is a Boolean model, that systematically and methodically 
describes the interaction of failures within a system that lead to a system failure. It is a top 
down or deductive method. Starting from an undesirable event or system state - the so-called 
TOP more detailled failure events are searched for iteratively, that cause this TOP. Graphical 
representation of these failure events is done using a tree notation, the so-called fault tree. The 
components’ failure events modelled in the fault tree are represented by events that can be 
in one of two states according to Boolean logic: “intact/unfailed/failure has not occurred” is 
represented by a Boolean False or 0, and “defect/failed/failure has occurred” is represented by 
a Boolean True or 1, respectively. 

Evaluation of the fault tree is done qualitatively as well as probabilistically. The system 
is comprised of clearly separable elements (components), each of which has its own reliability 
and safety characteristics, and that influence the system reliability and safety according to the 
components’ logical interconnection. Using these connections, the fault tree model is then able 
to derive the system charateristics from its component characteristics. 

With the simplifying laws of Boolean algebra the system funetion/failure funetion, i.e. the 
logical function of the TOP event, is transformed into a minimal disjunctive normal form. 
Thereby determined minimal eutsets of the fault tree may then be further used probabilistically 
together with the laws of probability calculus. The probability or frequency of occurrence of 
the undesirable event or system state is - for non-repairable systems - the failure probability 
and the failure density or failure rate of the TOP event, respecively; for repairable systems, it 
is the unavailability and failure frequency of the TOP event, respecively, [27]. 

Furthermore, qualitative analysis of the system architecture is possible, too, because of the 
similarity of the fault tree model to the real system structure; specifically, such qualitative 
analysis allows analysis of redundancy structures as well as sensitivity analysis [28], importance 
analysis [29], and confidence analysis [30]. 

Qualitative and probabilistic static FTA is state of the art in many domains like nuclear [5], 
aerospace [31], and automotive industries [9, 32]. There is demand for further research on using 
FTA for analysis of software “failures” [33], especially because of difficulties stemming from 
proper representation of dynamic effects, see below. 

FTA is intuitive in its application - in comparison to other methods like e.g. state based 
markov diagrams; thus, learning the FTA method is comparatively easy, and fault trees are 
easy to create, read, understand, rework, and edit, as well as to detail iteratively, and to use in 
modules. 

One main limitation of the FTA is that its event are (only) bivalent, i.e. True or False] another 
limitation is that the assumptions of monotony or coherenee must be satisfied [34, 35]; a third 
limitation is the implied independence of its basic events. Furthermore, FTA has only very 
limited possibilities of representing dynamic failure and repair behaviour [12]. Reason for this is 
the underlying Boolean logic [36], that has no concept of time, and thus only covers structural 
aspects of failure combinations [34]. No statement is made about the sequence in which events 
occur, as well as about other time dependencies, see chapter 2.3.1. 
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2.3 Dynamic FTA 

The expression dynamic FTA is often used as a synonym for the dynamic fault tree (DFT) 
approach according to Dugan [37]. The DFT uses markov chains to extend the static FTA to 
model and to analyze sequence dependencies. 

The DFT approach therefore dehnes its “dynamic” with event sequences. This thesis and the 
TFTA approach, as described in chapter 4, are also based on this underlying interpretation of 
“dynamic”, i.e. on the possibility of representing event sequences. 

2.3.1 Defining Dynamic with Event Sequences 

Boolean logic with its AND, OR, and NOT operations is not capable of expressing temporal 
relationships. For example, the failures of two components A and B in a system shall be 
considered. The event “A AND B" represents “both components have failed”. It does not, 
though, provide any information on the real points in time at which A and B occurred, and 
from that: the sequence, in which both events occur. This Boolean view grasps only the static 
state that the two components are (or are not) failed. 

In contrast to that, a dynamic view discriminates between different ways of reaching this 
event or state. It extends the all-static analysis of only considering possible combinations of 
events [38]. 

For “A AND S” there are three different such ways. First, A may fail before B, and then B 
fails later, too. Second, B may fail before A, and then A fails later, too. Third, A and B may 
fail exactly simultaneously. 

Each of these ways leads to the - from a Boolean point of view: identical - state, that both 
components have failed. This discrimination of possible ways to an event or state may be 
visualized using state-transition diagrams. Figure 2.1 shown such a state-transition diagram, 
corresponding to the example above. “Dynamic” as discrimination of different ways to an event 
or state works with temporal expressions like “before”, “after”, “first”, “then”, “simultaneous”, 
and so on. Modelling such “dynamics” requires to differentiate the different points in time 
when events occur. This capability requires that a concept of time exists within the model [39]. 



Figure 2.1: State-transition diagram of a simple, redundant, and non-reparable system, that 
consists of two components A and B] this diagram shows the possible four states 
and hve transitions. 
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Conversely, differentiating points in time when events occur also allows to distinguish between 
different event sequences. And with event sequences a multitude of dynamic effects can be 
described [12, 40]. 

Next Steps 

The contribution to dynamic FTA, as presented in this thesis, also uses “dynamic” in the sense of 
representation of event sequences. The next section 2.3.2 differentiates this meaning of “dynamic” 
from others that are also used in the context of ZSA, and specifically are used in the context of 
FTA. Section 2.3.3 discusses typical implementations of this meaning of “dynamic”, specifically 
implementations based on markov chains and petri nets. Section 2.3.4 outlines a very different 
way of extending the FTA by event sequences, and for this purpose describes several approaches 
of extended (temporal) failure logics. Chapter 2.4 summarizes this state of the art of dynamic 
FTA. 

2.3.2 Other Definitions of Dynamic 

Apart from the consideration of event sequences there are other temporal dependencies among 
(failure) events, and consequently other definitions of “dynamic” in the ZSA field, too, some of 
which are listed below. One overview in [41] is not he most recent, but is still valid. 

In [42] dynamic effects in analyses result either from time-dependent failure rates, or from 
time-dependent unavailabilities, or from reduction of uncertainty whether the reliability data 
used is correct, or from failure sequences. 

Abstracting these categories, dynamic either results from variable reliability data, or from the 
failure events’ sequence. Sometimes, phased mission methods are seen as a third such category, 
see e.g. [39, 43] or [44]. But these may as well be seen as belonging to either of the first two 
categories, or they may be interpreted as piecewise static analysis. 

A further distinction into “fast” and “slow” dynamic temporal dependencies is given in [22]. 
Slow dynamic effects occur during normal operation, e.g. by aging, learning effecs, or changes 
in the system. On the other hand, fast dynamic effects describe incidents, and thus dynamic 
ZSA focus on these. In [22] dynamic ZSA is based on MoCaS. 

The referenced work comes mainly from the nuclear domain. They emphasize explicit con¬ 
sideration of temporal dependencies as well as consideration of HRA (HRA) [45] as another 
important contribution of dynamic ZSA. On the other hand, HRA is not as relevant in the 
automotive domain today; reasons for this are 

1. that safety critical systems are preferably designed as fail safe systems, thus real fail 
operational systems are rare [46], 

2. the lack of human operators as part of the safety systems, which directly influence the 
system’s behaviour during normal operation as well as during incidences, and 

3. the lack of inspection, maintenance, and repair crews, as they are known in plants or in 
the aerospace domain. 

It is expected that HRA will become more and more relevant for the functional safety of au¬ 
tomotive systems, too, specifically because of the increase of high-voltage systems in electric 
and hybrid cars, and because of the increasing integration of active safety systems and driver 
assistance systems. 

Moreover, there are special approaches to dynamic ZSA using MoCaS in the automotive 
domain, too. For example, [24] considers the influence of dynamic system behaviour on the 
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system’s failure behaviour by taking time-dependent failure data into account. As these ap¬ 
proaches require comparably high effort, they are used only for special cases and are not (yet) 
widespread. 

2.3.3 Dynamic FTA - Other Approaches 

From here on this thesis on dynamic FTA focusses on “dynamic” in the sense of representation 
of event sequences. 

Known approaches to extending the FTA by dynamic effects typically are either simulations, 
or they automatically transform the fault tree model into a markov model, and then solve the 
resulting differential equation system. 

The well known DFT approach [37] is based on modularizing the fault tree into static and 
dynamic modules, that are then calculated using binary decision diagrams (BDD) [47, 48] and 
markov chains. Static modules consist only of Boolean fault tree gates and events; dynamic 
modules also include dynamic fault tree gates. The latter are used to represent effects like 
sequences, or cold, warm, and hot redundancies, or trigger events. Figure 2.2 shown the main 
steps of this approach and compares them to the conventional static FTA. 

The DFT method is included into numerous fault tree tools in differing completeness; e.g. in 
DIFTree [49] or Galileo [38], as well as in several commercial FTA tools like Isograph Faulttree-7 
[50], ITEM Toolkit [51], or RELAX Reliability Studio [52]. DFT are also mentioned in the recent 
edition of the Fault Tree Ffandbook [31]. 

A similar approach is presented in [53], which uses dynamic bayesian networks instead of 
creating and solving markov chains, a method for reducing calculatory costs. 

Another alternative in [54] solves DFT modules with modified BDD, which are called zero- 
suppressed binary decision diagrams] this approach requires to manually include sequenc infer- 


conventional FTA (qualitative as well as probabilistical) 


FTA creation 


FTA simplification 
(boolean algebra) 


analysis / quantification 
of minimal cutsets 


conventional dynamic FTA 



Figure 2.2: Main steps in conventional FTA (top) and - for comparison - main steps of a con¬ 
ventional dynamic fault tree extension using state-based modelling. 
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mation into the relevant minimal cutsets, instead of using markov models. This manual step 
limits the use of dynamic gates to relatively simple structures, though. Another similar such 
method is discussed in [55]. 

The approach introduced in [56, 57] is based on Boolean logic driven markov processes 
(BDMP) and, compared to the listed approaches from above, improves qualitative system anal¬ 
ysis, and to some extent also allows taking repairable components into account. 

A different approach to dynamic FTA based on petri nets, and without markov models, is 
chosen in [58] and [59, 60]; a further possibility are state-event-fault-trees given in [61]. 

Discussion 

All these approaches to dynamic FTA are based on transforming the original fault tree model 
into state-based models. The latter are able to consider temporal dependencies and thus event 
sequences, too. The different approaches differ in their choice of transformation method - on 
the one hand, the complete fault tree is transformed; on the other hand, modularization and 
transformation only of those sub-trees that carry relevant dynamic data ~, and they differ in 
their choice of state-based method. 

But they have in common that, firstly, their calculatory cost grows exponentially with the 
size of their dynamic modules. Newer methods in [62, 63] reduce the time needed for the 
actual modularization, so that the calculatory effort grows only linearly with the number of 
modelled elements. But the complexity for solving the markov chains is always 0{K ■ A^^} [64]. 
K is dependent on the number of computation-steps, and thus from the mission time and the 
calculations precission. And N is dependent on the number of states within the markov model; 
this number in in the range oi N = for n elements under consideration. This state explosion 
[65] requires modularization with as small dynamic modules as possible. On the other hand, 
these markov models and their resulting differential equation systems can, in many cases, only 
be solved approximately, even despite of modularization (see e.g. [64]). 

Secondly, modularization requires that the modules are independent from each other. This 
limits the dynamic dependencies between the system’s elements that can be considered in the 
model; or it implies increasing the size of the dynamic modules - with the described negative 
impact on calculatory effort. 

Thirdly, qualitative analyses are not possible, or possible only for very simple structures. 
This is owed to the transformation into the state space which does not follow the real system 
architecture as closely as the Boolean system model. One of the main benefits of the FTA is 
therefore missing in state based models: they can not “automatically” transform the modelled 
structure into a minimal form. For example, the DFT provides - depending on its specific imple¬ 
mentation - either “normal” Boolean minimal cutsets without any event sequence information, 
or provides minimal cutsets with “meta-events”, that cover complete markov models without 
further breaking them apart. 

Fourthly, state based models lack the “user-friendliness” of Boolean methods, also resulting 
from the Boolean model’s closeness to the real system architecture. Instead, components and 
their dependencies are, for example, expressed by states and state-transitions (in markov mod¬ 
els), or by places and transitions and marks (in petri nets). Figure 2.3 shows an example. One 
effect resulting from these differences is that state-based methods and models are less easy read¬ 
able, less comprehensible, less easy in maintenance, and less scalable than the conventional FTA 
[67]. 
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Figure 2.3: On the left side, a PAND gate with inputs A and B, that need to occur in the 
sequence “A first, and then S”, in order for the gate event to occur. The symbol 
used is not the one used in [5] but is taken from the TFTA approach in chapter 4. 
The top right side shows a markov model from [66], which is equivalent to the PAND 
gate; the bottom right side shows a petri net from [59], which is also equivalent to 
the PAND gate (Ta and Tb represent the time-to-failure of A and B). 


2.3.4 Dynamic FTA - Based on a Temporal Failure Logic 

Another possibility to include temporal dependencies is to use a temporal logic that extends 
the conventional Boolean logic. A temporal logic describes not only structural combinations of 
different events - that is the Boolean approach -, but also has a concept of time. The latter 
is used to make statements on the points in time at which events occur, and to include such 
statements into the logic function. 

Applied to the field of reliability and safety, there are several approaches to use temporal logic 
for fault trees. One early approach of describing event sequences is found in [68]. It concentrates 
on probabilistic modelling aspects for individual event sequences; this is an approach that has 
later been revived and refined, e.g. in [59] and [69]. All these works do not expand onto a general 
temporal logic, which goes beyond taking individual event sequences into account. Therefore, 
they require that the relevant minimal failure sequences, that lead to the TOP event, have 
been found with other methods. This, of course, severely limits their application for complex 
projects. 

The first version of the fault tree handbook [5] was a de facto standard for fault tree analysis for 
a long time; it also describes a so-called priority AND (PAND) gate. This gate is used exclusively 
for qualitative modelling of event sequences; probabilistically it is treated as a conventional AND 
gate. This approach again focusses on individual event sequences, and it does not provide a 
further and generic temporal logic. For example, it is not discussed, whether - and how - 
the fault tree structure shown on the left side of figure 2.4 may be simplified, and/or if it is 
equivalent to the structure shown on the right side of figure 2.4. In the Boolean model with 
AND instead of PAND gates, both fault trees are equivalent, as the Boolean distributive law - 
see (4.32) on page 31 - yields {A A B) \/ {A A C) = A A {B \/ C) 
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? 



Figure 2.4: Questions on the state of the art of dynamic FTA using temporal logic. As the PAND 
gates introduced in [5] lack a universal temporal logic, it is undefined, whether both 
shown fault trees are equivalent or not. The PAND gates’ symbols used in this figure 
are not the ones from [5], but from the TFTA approach presented in chapter 4. 


The interval-based temporal logic of the so-called AND-Then gates in [70] pursue a broader 
approach, as well as the work presented in [71, 72] and the so-called temporal fault trees in 
[73]. They all stem from the field of formal fault tree analysis, which is mainly motivated by 
adopting the conventional fault tree analysis method, so as to model software based systems 
and their “failures”. Failure analysis of software based systems is fundamentally different from 
the conventional and hardware orientated ZSA, especially because of their very different failure 
mechanisms. An overview on the state of the art of FTA for software based systems is given 
in [74]. Because of the high dynamic of software based systems, the temporal logics presented 
in the works above are also complex and complicated; furthermore, their application is quite 
different to conventional FTA, because of their very strict defininitions. 

In earlier work, Heidtmann interpreted modal logic [75], which originates in the field of the¬ 
oretical philosophy, for reliability modelling, see [11] and [34]. His temporal logic describes 
event sequences not directly, but asserts so-called anytime- and always-relationships between 
events. Using these, many temporal dependencies and contexts may be portrayed, including 
event sequences. Heidtmann discusses the qualitative as well as the probabilistic application 
of his temporal logic, and he is not limited to the fault tree method. On the other hand and 
because of its power, his logic involves comparably complex models and calculations. 

The dedicated aim of the Pandora approach in [76, 77] is to provide a “useable” method that is 
similar to conventional FTA. The term “Pandora” puns on the figure from greek legend, as well 
as it is a composite of “Priority AND” and the greek term cupa {ora), which means “time” [76]. 
Creation and analysis of Pandora fault trees is similar to conventional Boolean FTA. By using 
additional temporal gates - which are called PAND, SAND, and POR a temporal failure 
function of the TOP event is built. This function is then transformed into a minimal form 
by applying temporal logic simplification laws that are sketched in [77]. Central to these laws 
is the concept of so-called “doublets”. A doublet describes the temporal relationship between 
exactly two events, and is itself treated like a basic event. Temporal relationships are given only 
relatively to each other, i.e. the absolute points in time when events occur are not considered. 
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The minimal form is the equivalent to the minimal cutsets in conventional FTA; it allows a 
qualitative analysis of the failure behaviour including event sequence information. The concept 
of doublets simplifies the analysis greatly; but it also limits the Pandora approach in terms of 
probabilistic analysis, specifically because it leaves unresolved (temporal) dependencies between 
doublets. For example, in Pandora [77] the expression “A occurs first, and then B and C occur” 
is written as 

aa{bac) = \{aaC)a{baC)\v\{aab)a{bac)\v\{Aab)a{Cab)] . (2.1) 

Instead of the original Pandora notation, the notation from chapter 4 is used here, in order to 
improve comparability of the results. Each term in round brackets on the right side indicates 
one doublet. 

These doublets allow qualitative analyse, but they can not be simply quantified, as shown by 
the following considerations. 

A Boolean conjunction, e.g. {A AC) A {B A C), must not, in general, be quantified by simple 
multiplication of the individual event probabilities; i.e. 

P(A/\C)A{B/\C) / {Fa- Fc) ■ {Fb ■ Fc) , (2.2) 

if it is not given in a minimal form, already, or the individual events are not independent from 
each other. If these conditions are satisfied, e.g. after transforming into 

{AaC)A{BAC) = AABAC , (2.3) 

then a direct quantification is possible. 

F{aac)a{bac) = Faabac = Fa-Fb-Fc . (2.4) 

In analogy. Pandora expressions, like the one shown above, must not be quantified directly. For 
example, the “joint” event C in both doublets, i.e. an unresolved dependency between both 
doublets, is the reason for 

F{AAC)A{BAC)i^P{AAC)-P{BAC) • (2-5) 

The TFTA approach presented in this work adopts some aspects of Pandora. But the TFTA 
goes beyond Pandora by (among others) 

• providing a complete and systematic set of logic transformation laws of universal validity 
and applicability, where Pandora only sketches temporal logic rules in [77], and 

• allowing probabilistic, as well as qualitative modelling and analysis, where Pandora stays 
qualitative, and 

• not pursuing the concept of doublets, that is not well-suited for probabilistic analysis, and 

• not using a POR operator. 

The differences from that may be demonstrated by comparing the Pandora expression from 
above with an equivalent expression according to the TFTA approach. Anticipating the chapters 
below, the latter is given as 

aa{baC)= a abac V baaac v aacab v caaab v 
{aab)Ac V aA{bac) V {aac)Ab . 


V 


( 2 . 6 ) 
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As shown in this thesis, these terms may be quantified directly - and they may also be trans¬ 
formed into a more compact form in order to reduce the calculatory effort: 


aa{bac) 


{AAB)AC V (A AC) as V AA{BAC) 


The right side expressions are mutually exclusive (disjoint), thus 

^A7\{BAC)it) =-^(AaB) Ac(^) +-^(AaC) Ab(^) +(BAC)(^) = 
t 

= J (-C4('r)FB(r)/c(r) + TA(r)Fc(r)/B(r)^ - dr . 
0 


(2.7) 


( 2 . 8 ) 


2.4 Summary 

Conventional Boolean FTA is state of the art for systematic, top-down, and qualitative as well 
as probabilistic analysis of the failure behaviour of complex systems in several industries and 
application fields (see chapters 2.1 and 2.2). 

The call for an improved consideration of time-dependencies lead to development of several 
extensions of the Boolean FTA in order to take into account dynamic effects and specifically 
sequence dependencies, see chapter 2.3.1. There are two main strategies for such consideration 
of event sequences: On the one hand the Boolean fault tree model is transformed into a state- 
based model, which allows the calculation of dynamic effects (see chapter 2.3.3). On the other 
hand, an extended and temporal logic is used instead of the Boolean (failure) logic, see chapter 
2.3.4. 

In the past several proposals for each of the two strategies were presented. Moreover, some of 
the state-based extensions are being used for solving real-world problems today. But by switch¬ 
ing into the state-space these approaches loose some of the main advantages of conventional 
FTA, specifically with respect to the necessary calculatory effort, its intuitive useability, and its 
ability to provide meaningful qualitative analyses. 

Very powerful but also very complex methods dominate the field of extensions by temporal 
logic; they stem mainly from research on applying the FTA on software. Further research 
is needed for improved useability, in order to convey the conventional Boolean FTA’s “user- 
friendliness” onto dynamic FTA. 

Figure 2.5 shows how the TFTA approach presented in this thesis fits into the state of the 
art, and it differentiates the TFTA from other methods. 
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Figure 2.5: TFTA approach in comparison to the state of the art and other methods of consid¬ 
ering “dynamic effects” within ZSA. 



3 Problem Definition: Event Sequences in 
FTA without Modularization 


Simplicity is the final achievement. 

(Frederic Chopin) 


3.1 Demand for Improved Methods 

3.1.1 Demand for Dynamic FTA 

One of the FTA’s vital objectives is the probabilistic evidence that the failure rate and failure 
probability of a system are lower than given target values. Practical experience shows that in 
many cases reaching these target values - derived from e.g. safety standards like lEC 61508 or 
ISO 26262 - is a close call. Modelling the same system with a dynamic FTA provides less con¬ 
servative results than the conventional FTA; this, of course, helps to comply with probabilistic 
target values. It is much more credible to improve one’s system analysis by using such a dy¬ 
namic and more detailed method than to reach compliance with one’s objectives by improving 
(reducing) the failure data input to the basic events; the latter is often hardly justifiable. 

For systems with higher safety levels the conventional qualitative single failure analysis using 
FMEA is not sufficient [9, 78] In such cases and for complex system architectures the qualitative 
FTA improves systematic understanding of multiple failure interaction. For example, it is very 
efficient to improve the safety of programmable systems by making the conditions of switch¬ 
ing elements dependend on sequential information. Fail-activation is reduced as only certain 
sequences of trigger events are relevant. In many cases such sequential conditions can be added 
into integrated circuits with only negliable costs. When compared to the conventional FTA, an 
FTA that takes such sequences into account can then provide a much more meaningful view on 
the system under consideration. 

Chapter 6 shows an example system where conventional Boolean fault tree modelling and 
analysis provides only unprecise results. 

3.1.2 Demand for Improved Dynamic FTA 

Dynamic extensions to FTA, as listed in chapter 2.3, aim at the correct probabilistic calculation 
of fault trees; this is especially true for the state based methods like DFT. Chapter 6.3 shows 
an example where the DFT succeeds in this respect and thus proves to be a real improvement 
when compared to the conventional Boolean FTA. 

Criticism of state based extensions comprises mainly from the following aspects: 
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• state based extensions are limited in their use for qualitative analysis of sequence effects. 
This comes from the forced change between methods with Boolean fault tree logic on the 
one hand and a state based dynamic model on the other hand. 

• they are limited in case of interdependencies between dynamic and non-dynamic parts 
(modules) of the same fault tree. 

• probabilistic calculation is rather costly and approximations are not easy to identify and 
use. 

Practical experience shows that there is a certain correlation between the necessities of proba¬ 
bilistic and qualitative analyses of dynamic effects. Therefore, from an effort point of view it 
is beneficial to cover both aspects with the same modelling method. Methods are needed that 
allow both analyses with reasonable effort and idealy also allow a step wise workflow: first the 
results are only approximated, then the most important contributors are identified, and then 
only for those the more complex but exact calculations are done. 

3.1.3 Remarks on Using Dynamic FTA 

In general, an analysis’ effort and its benefit must not be disproportionate to each other even if 
there is a very understandable quest to model the reality (which is dynamic, see chapter 2.1.2.1) 
as exact and detailled as possible. Today there are several attempts to extend the Boolean FTA 
with dynamic effects and event sequenes; but many of those extensions are limited to simple 
and mostly academic examples. This is especially true for approaches based on a temporal logic; 
their very high complexity conflicts with their practical useability. 

Useability, (relative) ease of use, and scalability are three critical success factors of the con¬ 
ventional FTA; and they have added tremendously to the FTA being first choice for safety and 
reliability analyses in many domains. 

In order to transfer this success, the dynamic FTA needs to satisfy the following generic 
requirements: 

• real system effects must translate into the model’s logic easily, 

• the actual implementation into a fault tree needs to be possible with reasonable effort, 

• qualitative as well as probabilistic calculations must be possible without changing the 
analysis method, 

• computing time must be reasonable, 

• the fault tree as well as its results must be easily readable and comprehensible, 

• scalability and possibility to detail and extend parts of the fault tree. 

3.2 Concept 

3.2.1 Requirements for TFTA 

By taking useability and practical considerations into account the following is required from the 
new TFTA method: 


1. The temporal TFTA logic shall be able to model sequence dependencies between events. 
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2. The temporal TFTA logic shall be a detailing (extension) of the Boolean logic. 

3. The TFTA shall be similar to the conventinal FTA regarding notation, abstract concept, 
workflow, work products. 

4. The qualitative TFTA shall provide minimal event sequences similar to the Boolean mini¬ 
mal cutsets. Each “minimal cutset sequence” shall consist of “temporal conjunction terms” 
similar to the Boolean AND term but including event sequence information. The TOP 
or system failure function shall then consist of such “minimal cutset sequences” given in 
“temporal disjunctive normal form”. 

5. In order to allow for probabilistic analysis the “minimal cutset sequences” shall be disjoint 
(i.e. mutually exclusive); this allows for easy quantification by convolution of the failure 
densities / frequencies. 

6. In order to reduce calculation efforts the TFTA shall support step-wise modelling: a 
first step provides only approximations; more exact calculations follow only for the most 
important contributors. It shall be possible to calculate exact results if necessary. 

Assumptions on TFTA 

The following discussions are based on two assumptions: 

1. fault trees are monotone (sometime also called coherent) and 

2. all component failures are non repairable. 

3.2.2 TFTA - Step by Step 

Figure 3.1 shows the TFTA workflow with its multiple steps. First, there is the two step 
qualitative transformation of the initial logic expression into a minimal and later disjunct form; 
in a second step, this is then quantified probabilistically. This workflow is very similar to the 
workflow of conventional FTA; there, too, minimal cutsets need not automatically be mutually 
exclusive. The TFTA workflow is split into two steps because of the potentially very high effort 
necessary for transforming a minimal temporal expression into mutually exclusive terms. 

The structure of chapter 4 is influenced by this workflow steps, too; chapter 4.1 provides the 
notation of the temporal logic; chapter 4.2 provides the TFTA’s (temporal) rules of transforma¬ 
tion; chapter 4.3 describes the transformation into mutually exclusive sequences; and chapter 5 
provides the probabilistic evaluation of temporal expressions. 
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Figure 3.1: Step by step workflow of the TFTA with its two-step transformation of a temporal 
expression into a minimal and then mutually exclusive form, and probabilistic quan¬ 
tification. Approximations are possible, first, based on the mutually exclusive event 
sequences or, second and a little more unprecise, directly from the minimal event 
sequences. 








4 Temporal Fault Tree Analysis (TFTA): A 
New Approach to Dynamic FTA 


Time is the worst place, so to speak, 
to get lost in. 


(Douglas Adams) 


This chapter describes the temporal fault tree analysis (TFTA) which extends the Boolean FTA 
and allows analysis of event sequences. 

• Chapter 4.1 presents the notation of the new temporal TFTA logic. Specifically, there are 
two new temporal operators corresponding to two temporal fault tree gates. 

• At the heart of the new temporal logic there are several rules of transformation (“tem¬ 
poral logic laws”) described in chapter 4.2. They allow the transformation of a temporal 
expression into its temporal disjunctive normal form (TDNF). 

• Chapter 4.3 discusses minimal and disjoint temporal expressions. 

• There is an extended form of temporal expressions, as shown in chapter 4.4, which reduces 
the effort necessary for describing and calculating complex temporal failure functions - 
especially if such failure functions only include few real temporal relationships between 
events. 


4.1 TFTA Notation 

First of all, some remarks on the terms used: In the fault tree method basic events represent 
atomic failure events of real life entities (i.e. systems, components, parts, functions). Likewise, 
fault tree gates represent non-atomic “higher level” failure events. The terminology is sometimes 
confused so that there is no discrimination between “incidence of a real world failure event” and 
“fault tree event becomes True”, where the latter represents the real life event in the fault tree 
model. 

4.1.1 Boolean Algebra and the FTA Failure Logic 

In the context of FTA events are failure events. Contrary to uses of the Boolean algebra 
for reliability calculations, the FTA therefore uses a negated logie [14, chapter 14.4.2]. In 
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the following text negating all events in their written form is ommited for reasons of better 
readability. For all failure events 

{ True or 1 entity i has failed 

(4.1) 

False or 0 entity i is operational 

For the TFTA approach most of the Boolean logic and its application on the fault tree stays 
the same: 

The conjunction using the AND operator and 

-Aand = a AB (4.2) 

is True, if and only if both events A and B are True. In fault trees the conjunction is represented 
by AND gates. 

The disjunction using the OR operator and 

XoR = AVB (4.3) 


is True, if either only event A or only event B is True, or if both events are True. In fault trees 
the disjunction is represented by OR gates. 

The negation using the NOT operator and 


-Anot = -'A (4.4) 

is True, if and only if event A is False. The shorter A^B is used below instead of A A^ B. In 
fault trees the negation is represented by NOT gates. 


4.1.2 Temporal Logic Operators 

The TFTA uses two temporal operators and their corresponding gates in addition to the Boolean 
operators and gates in order to describe temporal event relationships (see figure 4.1). 


PAND: The Sequence of Events 

The PAND operation {Priority AND) using the PAND operator and 

-ApAND = AAB (4.5) 

is True, if and only if 

• both events A and B are True and 

• A has become True before B has become True. 

Therefore, PAND describes a chronology of events becomming True after each other. In fault 
trees the PAND operation is represented by PAND gates. 



Figure 4.1: Fault tree gates of the TFTA: Boolean gates (left) and temporal gates (right) 
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SAND: Concurrence of Events 

The SAND operation {Simultaneous AND) using the SAND operator and 

-^SAND = AAB (4.6) 


is True, if and only if 

• both events A and B are True and 

• A and B have become True simultaneously. 

Therefore, SAND describes events becomming True exactly at the same time. In fault trees the 
SAND operation is represented by SAND gates. 

Remark: PAND as well as SAND uses time indications relatively, i.e. no statement is made 
on the absolut (real) time at which an event becomes True. 

4.1.3 Boolean and Temporal Operations Visualized as Sets 

Figure 4.2 shows the different operators as sets and illustrates the relationshios among them. 
First, there are two event A and B symbolized as sets. If A and B are the operands to AND 
and OR operators (i.e. they are inputs to Boolean AND and OR gates in a fault tree), then 
two sets result: A AB = B A A (intersection) and Ay B = By A (union). If A and B are the 
operands to PAND and SAND operators (i.e. they are inputs to temporal PAND and SAND 
gates in a temporal fault tree), then three sets result: AaB and BaA and AaB = BAA. 
Note, that negated events and their corresponding “sets” are not shown here. The depiction in 
figure 4.2 allows a first qualitativ statement on the meaning of tempral operators/gates. 

According to (4.5) and (4.6) PAND and SAND events are real subsets of the Boolean con¬ 
junction AAB = B A A (“.. .both events A and B are True ...”). There are three possibile 
sequences how two events A and B can “both be True’' (see the law of completion in chapter 
4.2). 

As sets this may be written as 

AaBcAaB, AABcAaB, BaAcAaB, (4.7) 


A 



aab 


AAB 


baa 


Figure 4.2: Temporal operations from top to bottom: events A and B] their intersection (AND) 
and union (OR); the three subsets defined by distinction between the possible event 
sequences (PAND and SAND). 
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(a) 


(b) 


(c) 


(d) 


A 

B 

aab_ 

aab_ 

baa_ 

aab_ 

avb 


A 

B 


iAAB) 
iAAB) 
iBAA) 
iAAB) 
-{Ay B) 


Figure 4.3: Temporal sequence of two events: In (a) and (c) event A becomes True before B 
(upper two rows); the following rows show which events formed by A and B become 
True at which time. In (b) and (d) events A and B become True simultaneously. 


AAB BaA AAB 



Figure 4.4: Illustration of the three possible sequences of state transitions (which are mutually 
exclusive) that lead to failure of both components of the example system in figure 
2 . 1 . 

AaB C A , AAB C B . (4.8) 

Events AAB, BAA, and AAB are pairwise mutually exclusive, i.e. there is no intersection 
between them (see chapter 4.3): 

AaB T AAB, AaBTBaA, AABTBaA. (4.9) 

4.1.4 Temporal Operations: Timing Behaviour 

Temporal sequence diagrams illustrate (temporal) relationships between events. Figure 4.3 
shows logic levels over time for Boolean and temporal operators used in the TFTA. In general, 
events may become True in sequence or simultaneously (see sub-figures (a) and (c) and (b) and 
(d) respectively). 

The possibile failure sequences in a sytstem which result from those timings may be shown e.g. 
with state diagrams. In a simple example system consisting of two redundant components (see 
state diagram in figure 2.1), where events may become True after each other or simultaneously, 
there are the three possible state transition sequences which were already mentioned and which 
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are shown in figure 4.4. These sequences correspond to the two PAND operations AaB and 
BAA on the one hand and the SAND operation AABon the other hand. 

From page 33 on further examples of temporal sequence diagrams are compared with other 
methods of illustration. 

4.1.5 Syntax of Temporal Expressions 

A logic expression with at least one temporal operator is called temporal-logic expression or 
shorter: temporal expression. 

In conventional FTA a Boolean expression which is represented by the fault tree’s TOP event 
is called Boolean failure function and is symbolized by (p. In the TFTA the TOP event represents 
a temporal expression which is called temporal failure function and is symbolized by its own 
symbol zu for better discrimination in the following text. 

The next sections explain elements of a temporal logic grammar as used by TFTA. This 
grammar is summarized in table 4.1. The temporal logic’s operators {A , V , A , A , -■} are used 
as terminal symbols. 

Atomic Events/Basic Events 

Atomic events are the smallest event entities in temporal expressions, and are not further 
dividable. Within the temporal fault tree they are represented by basic events which do not 
differ from those basic events used in conventional FTA. Particularly, probabilistic (failure) data 
like failure rates may be assigned to them. 

The formal grammar of the temporal logic uses the ae token for atomic events. 

Negated atomic events with toke nae are - as the name suggests - the negation of atomic 
events: 


nae —ae . (4-10) 

Within the TFTA negated events have a special meaning, see chapter 4.2.8. 


General Temporal Expressions 

In general, a temporal expression either consists of a basic event, or consists of two other 
temporal expressions, which are connected by a temporal (including Boolean) operator, or 
consist of a negation of another temporal expression. Therefore 


ae 



tt 

A 

tt 

tt 

V 

tt 

tt 

A 

tt 

tt 

A 

tt 

—1 

tt 



(4.11) 


Aside from the additional temporal operators this corresponds to the formal representation of 
Boolean expressions. 

This general form is not suited for direct qualitative or probabilistic analysis. From chapter 
4.2 on transformation laws for temporal expressions are described that allow to transform any 
temporal expression into a TDNF - which in turn allow further analysis. The following sections 
explain the structure of this TDNF. 
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Token 

Description 

Format 

Example 

ae 

atomic event 

_ 




(basic event) 


Y 





Z 


nae 

negated atomic event 

^ ae 



ce 

core event 

ae 

see above 



ce A ae 

XAY 





XAYAZ 

nee 

negated core event 

nae 

see above 



nee A nae 

X A 

-nY = ^X^Y 




X A 

A ^ Z = ^ X ^ Z 

es 

event sequence 

ce 

see above 



es A ce 

XAT 





(xay)Az 

nes 

event sequence with 

nee A es 

^XAY 


negated events 


-nXA(YAZ) 




hx- 

iT) AZ 




hx- 

iT)A(TAZ) 

tdnf 

temporal expression in TDNF 

es 

see above 



nes 

see above 



tdnfVtdnf 

xyY 





'^xa{yAz)] V [{xay)Az] 

ece 

extended core event 

ae A ae 

XAY 




ece A ae 

XAYAZ 

ees 

extended event sequence 

ece 

see above 



ees A ece 

(X AY)A{AAZ) 



ees A ce 

\x ay)A\aaz) 



es A ece 

XA{YAZ)A{AAB) 

nees 

extended event sequence with 

nee A ees 

^ZAlXAY) 


negated events 


Z A 

'{X ay)A{Aab) 





Z A 

{X AY)A{AAB) 





hx- 

^Y)A[XAYA{AABj 

etdnf 

temporal expression in 

ees 

see above 


extended TDNF 

nees 

see above 



etdnf V tdnf 

{XAY)yZ 




[-^XA{YAZ)] V [{XAY)AZ] 



etdnf V etdnf 

{X AY)y (Aab) 




[-TA AaT)] V [ZA{AAB)] 

tt 

generic temporal expression 

ae 

see above 



tt Att 

{Ay B)A{CAD) 



ttvtt 

A V ~^{C A D) 



tt Att 

{Ay B)A{Cy D) 



tt Att 

{Ay B)A{Cy D) 



^tt 

-n{CAD) 


Table 4.1: The syntax of temporal expressions: the more complex tokens are based on the 
token of an atomic event (basic event) as an entity which is not further dividable; 
complex tokens are: core events, event sequences and temporal expressions in TDNF; 
they are composed in multiple ways. The examples given do not include all possible 
combinations. The lower part of the hgure shows temporal expressions in a more 
generic form; those need to be transformed for further analysis. 
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4.1.5.1 Temporal Disjunctive Normal Form (TDNF, Sum of Products) 

Core Events 

In the temporal logic core events describe that one or more events become True at a certain 
point in time. Negated core events indicate that at a given time one or more events have not 
(yet) become True. Many equations in this thesis use K for core events. 

A core event event is represented by token ce and consists of either one atomic event, or 
consists of a temporal expression (in braces), which itself consists of only SAND connected 
atomic events. More formally, 

ce —ae | (4-12) 

ce A ae 

A negated eore event (token nee) consists of either one negated atomic event, or consist of a 
temporal expression (in braces), which itself consists of only AND connected negated atomic 
events. More formally, 

nee —nae | (4-13) 

nee A nae 


Event Sequences 

Event sequenees are the temporal logic’s equivalent of Boolean cutsets. They describe a temporal 
sequence of one or more core events. In analogy to the Boolean minimal cutsets, minimal event 
sequences (MCSS, see chapter 4.3.2) have a special significance in the temporal logic. 

Event sequenees with negated events are important for transforming temporal expressions into 
disjoint, i.e. mutually exclusive, terms. This is similar to the Boolean logic. Many equations in 
this thesis use ES for event sequences. 

Event sequences are represented by the token es and either consist of exactly one core event, 
or consist of several BAND connected core events. More formally 

es —ce | (4-14) 

es A ce 

Additionally, there are event sequences with negated events consisting of exactly one negated 
core event, which is AND connected with exactly one event sequence. They are represented by 
the token nes. Therefore 

nes —nee A es . (4-15) 

Temporal Expressions in TDNF 

Event sequences, connected by OR operators, provide the temporal disjunetive normal form 
(TDNF): 

C 

w = y ESj = E5i V E52 V ... V ES^ . (4.16) 

i=i 

The symbol f indicates the number of event sequences ES of w, which themselves are not 
necessarily already in a minimal form. More formally, 

tdnf —> es I (4-17) 

nes I 


tdnf V tdnf 
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4.1.5.2 Extended TDNF (Sum of Products) 

Temporal Expression in Extended TDNF 

The extended TDNF of a temporal failure function w is given as C extended event sequenees 
eESj which are connected by OR operators: 

C 

w = \l eESj = eESi V eES2 V ... V eES^ . (4.18) 

j=i 

This extended TDNF greatly simplifies the qualitative as well as probabilistic transformations 
and caluclations. More formally, 

etdnf —> ees | (4.19) 

nees | 

etdnf V tdnf | 

etdnf V etdnf 

The extended TDNF consists of extended core events and extended event sequences with and 
without negated events. 

Extended Core Events 

An extended eore event is represented by the token ece and consists of two or more AND 
connected atomic events. It is identical to the conventional conjunction of atomic events in 
Boolean algebra. Therefore, 

ece —ae A ae | (4.20) 

ece A ae 


Extended Event Sequences 

Extended event sequenees with token ees either consist of exactly one extended core event or con¬ 
sist of only PAND connected extended core eventst or consist of a mixture of PAND connected 
normal and extended event sequences. Thus, 


ees 

-)■ ece 




ees 

A 

ece 


ees 

A 

ce 


es 

A 

ece 


(4.21) 


Extended event sequenees with negated events are defined as event sequences which consist 
of exactly one negated core event which is AND connected with exactly one extended event 
sequence; they are represented by the token nees. Formally, 

nees —nee A ees . (4.22) 

The following chapters at first don’t touch the subject of the extended form of temporal expres¬ 
sions. Chapter 4.4 then explains how the qualitative analysis is simplified by using extended 
event sequences. Chapter 5.4.2 discusses the probabilistic quantification of extended event se¬ 
quences. 
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4.1.6 Events the are “Part” of an Expression 

For certain transformations of the temporal logic it is necessary to identify events that are 
“part” of a temporal expression, and accordingly, to know whether a given expression “includes” 
a certain event. Specifically, it is necessary to know whether an event Xi is part of an (extendend) 
core event or of an (extended) event sequence. 

For a given event Xj and a given expression w, 

Xi A X 2 A ... A Xn , 

w= < Xi AX 2 A ... AXn , and i G {1,2,... ,n} , (4.23) 

A X 2 A ... A Xn 

Xi is “part” of the expression zu] or in other words: expression zu “includes” Xi. We propose a 
new operator to denote this relationship: 

Xi^ zu . (4.24) 

For example, 

a^aab, a^aab, b^aAb, b^aabac. 

4 . 1.7 Visualization Using Sequential Failure Trees 

Sequential failure trees illustrate possible failure sequences within a (non-repairable) system. As 
such they help understanding the exact meaning and logical statement of temporal expressions, 
and they can also be used as a verification tool. For instance, two different temporal expressions 
are logically identical if and only if they have identical sequential failure trees. 

The explanations below for “normal” sequential failure trees (without simultaneous events, 
i.e. without SAND connected events) roughly follow the findings in [79]. Chapter 4.1.7.2 then 
extends these ideas to general TFTA temporal expressions that may include SAND connections 
between events. 

Two examples: Figure 4.5 shows sequential failure trees for the two temporal expressions 
AABAC (on the left) and A AC (on the right), where both are used on a system with a total 
of three failure events A, B, and C. 



Figure 4.5: Sequential failure trees for the expressions A ABAC (left side, including SAND 
connections) and AAC (right side, without SAND connections, and shown as a 
“simplified” tree). Rectangular nodes include SAND connections; circular nodes do 
not include SAND connections. Nodes that represent a system failure are filled in 
black; nodes that do not represent a system failure are filled in white; non-minimal 
failure nodes are crosshatched. 
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4.1.7.1 Normal Sequential Failure Trees (without SAND) 

The sequential failure tree for a system comprised from n elements (e.g. components) has n + 1 
levels with • i\ nodes on each level i G {0,1,..., n}, see figure 4.5. Each node represents 
one specific system state r and may be expressed as vector Kr = (^i, N 2 , ■ ■ ■, X^)] all elements 
that are not failed in this system state are written with 0 {False), and all failed elements are 
written as 1, 2,..., i according to the failure sequence that lead to this system state. 

For example, the sequence AaBAC, i.e. "‘A before B before C”, corresponds to vector 
K = (1, 2, 3). the node on the top most level (level 0) has the zero vector K = (0,0,..., 0). 

A system’s temporal failure function w may be expressed as function of vectors Kj.'- 


w{Kr) 


1 , if the system is failed in state r. 

0 , if the system is not failed in state r. 


(4.25) 


With the exception of the one node on level 0, every node K has exactly one predecessor node 
K'. With the exception of the nodes on the lowest level n, every node has at least one successor 
node K". 

Because of the definite sequence the following is always given: 

K > K' . (4.26) 


According to this “vector inequation”, no element in K may be less than the corresponding 
element in K', and at least one element in K must be greater than the corresponding element 
in K'. 

Accordingly, 


K <K" . (4.27) 

Taking the property of monotony into account, the follonwing statement holds for failure func¬ 
tions: 


w{K) > w{K') . (4.28) 

Furthermore, the property of monotony yields that if w{K) = 0 then the system function of a 
predecessor node K' of node K must also be w{K') = 0. 

A node K \s a minimal failure node if the failure sequence that is represented by K leads to 
a first-time failure of the system, i.e. 

w{K) = 1 and w{K') = 0 . (4.29) 

The succesor nodes of a minimal failure node are called non-minimal failure nodes. All succesor 
nodes of a non-minimal failure node are also non-minimal failure nodes. And again, with the 
property of monotony the system function w{K") of all successor nodes of a minimal (or non- 
minimal) node w{K) = 1 must also be w{K") = 1. 

Sequential failure trees and the TFTA notation correspond to each other: Nodes (sequential 
failure tree) correspond to TFTA failure sequences] minimal failure nodes correspond to MCSS] 
non-minimal failure nodes correspond to non-minimal failure sequences. 

Providing all minimal failure nodes (or, respectively, all MCSS) completely describes the TOP 
event of a temporal fault tree and its failure function w. 
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The left side of figure 4.6 shows the simplihed sequential failure tree (without SAND) of a 
system with three components A, B, and C and the failure function w = {C A BA A) V (BAC). 

i=n=S 

The sequential failure tree has n + 1 = 4 levels. Four of the ^ (”) ■ i! = 16 possible nodes 

i=o * 

(without SAND) are minimal failure nodes which correspond to the four MCSS AaB AC and 
AA{BAC) and BAAAC and CAbAA. In addition, there is a non-minimal failure node, 
corresponding to the failure sequence BAcA A. 

Nodes that do not represent a system failure state are hlled white, minimal failure nodes are 
hlled black, and non-minimal failure nodes are crosshatched. 

4.1.7.2 Sequential Failure Trees with Concurrent Events/SAND 

The right side of hgure 4.6 shows the sequential failure tree of a system with failure function w = 
{CAbAA)\/{BAC)', in this case SAND connections and corresponding nodes and transitions 
are also shown. 



Figure 4.6: Sequential failure tree without SAND (left side) and with SAND (right side) of a 
system with failure function w = {C A B A A) V (BAC). 

For better discrimination failure nodes (system failure states) without SAND connection 
are depicted as circles and failure nodes with at least one SAND connection are depicted as 
rectangles. 

Besides that, the notation, as introduced in chapter 4.1.7.1, stays the same. For example, 
sequence {AaB)AC corresponds to vector K = (1,1, 2), and sequence AA{B AC) corresponds 
to vector K = (1,2,2). Equations (4.25) to (4.29) also hold for sequential failure trees with 
SAND connections. 

4.1.7.3 Using Sequential Failure Trees 

Sequential failure trees allow an intuitive visualization of temporal expressions and thus ease 
their analysis: 

• They directly illustrate temporal expressions, comparable to logic tables as illustrations 
of Boolean expressions. Moreover, different temporal expressions are equivalent, if they 
have identical sequential failure trees. 

• They directly show if temporal expressions are minimal, or if they include each other, see 
chapter 4.3.2. Temporal expressions are minimal, if each of their sequential failure trees 
has at least one minimal failure node which is not a failure node in any of the other failure 
trees. 
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• They directly show if temporal expressions are mutually exclusive (disjoint), or if they 
have intersections, see chapter 4.3.3. Temporal expressions are mutually exclusive, if their 
failure trees have no failure node in common. 

Two types of sequential failure trees are used below: the “explicit form” shown on the left side 
of figure 4.7, as well as a “compact form” shown on the right side of figure 4.7. 



Figure 4.7: Explicit and compact forms of the same sequential failure tree with failure function 
-07= {AaC)\/{BAC). Both forms are used in this thesis. 


Based on some examples, creating and using sequential failure trees is demonstrated from 
page 33 on; there, sequential failure trees are compared to other visualization methods, too. 
The appendix includes further explanantions on sequential failure trees, see page 118. 

Summary of Chapter 4.1: 

The TFTA’s notation is based on the three Boolean operators AND, OR, and NOT, added by 
two new temporal operators PAND and SAND. Temporal expressions may be reduced to their 
sum of products form (OR connected event sequences), which is called TDNF and consists of 
PAND connected core events; the TDNF corresponds to the Boolean disjunctive normal form. 
The extended TDNF also allows AND connected core events, which reduces computing effort. 
Sequential failure trees allow the visualization of temporal expressions and show if temporal 
expressions are minimal or mutually exclusive (disjoint). 


4.2 Laws of the TFTA Temporal Logic 

The temporal logic rules of the TFTA method are an extension to conventional Boolean logic 
and algebra. These rules describe temporal relationships between events, i.e. combinations and 
dependencies between events, while taking into account the individual points in time at which 
the events become True, and taking into account possible sequences between events. As it 
includes a concept of time, the temporal logic rules are more extensive and more complex than 
Boolean algebra. 

There are two major differences between the application of the TFTA temporal logic and the 
Boolean logic: 

1. Event sequences are expressed by the order in which events and operators are positioned 
in a temporal expression; therefore, the laws of commutation, laws of associativity, and 
distributive laws are not fully applicable. 

2. In temporal logic there are logical eontradietions, i.e. temporal relationships between 
events that are “not possible”. Such contradictions always yield a logic False. For instance, 
an event can not become True after it has already become True, and thus XAX = False. 
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4.2.1 Boolean Algebra 

The conventional Boolean algebra describes Boolean relationships between events, i.e. it makes 
statements on different events becoming True] bnt it does not take into acconnt the timing 
between those events. Boolean logic basically consists of the rnles listed below [8, 14]: 

laws of commutation 


A^B = BaA and Av B = BV A . 


laws of associativity 

AA{BAC) ={AAB)AC = AABAC and 
AV{BVC) = {AV B) VC = AV BVC . 


(4.30) 


(4.31) 


distributive laws 


AA{BV C) = {AAB)V (AaC) and AV {B AC) = {AV B) A {AV C) . (4.32) 

laws of idempotency 


AaA = A and 

laws of absorption 

Aa{AV B) = A and 

de Morgan’s theorems 

~i [A A B) = —< AV ~i B and 

operations with False and True 

-1 False = True , 

A A False = False and 

A V False = A and 


ylVA = yl . (4.33) 

Av{AaB) = A. (4.34) 

^ {AV B) = —1A A “1 i? . (4.35) 

A A True = A , (4.36) 

A V True = True . 


4.2.2 Law of Completion 

The law of eompletion in (4.37) describes the main relationship between Boolean and temporal 
operators and fanlt tree gates, see fignre 4.2: 

aab ={aAb)v{aab)v{bAa) . ( 4 . 37 ) 

Terms on the right side of (4.37) are mntnally exclnsive (disjoint). 

The SAND connection between different events expresses (strnctnrally) dependend failnres, 
which may be interpreted as eommon eause failures (CCF). It can be shown that the expectancy 
valne of the failnre probability/failnre rate is zero for failnre events which are connected by 
SANDs, if independent failnres are assnmed. For instance, E[A AS] = 0, see chapter 5.3.1 for 
details. The SAND operator is also very important for transformations of temporal expressions 
and for qnalitative analysis. 



32 


4 Temporal Fault Tree Analysis (TFTA): A New Approach to Dynamic FTA 


4.2.3 Law of Contradiction 

In general, it is logically contradictory if the same event becomes True after itself. This fol¬ 
lows directly from the assumption of monotony combined with non-repairable components; see 
chapter 3.2.1 for these two general assumptions of this thesis. 

In the most simple case, 

AAA = False . (4.38) 

More generally, an event sequence yields False if at least one event exists more than once in it; 
i.e. 

A X 2 A ... A Xn = False , (4.39) 

if 3 Xj = Xj for i, j G {1, 2,..., n} and i 7 ^ j. In a temporal fault tree a PAND gate therefore 
yields False if it has the same event as input more than once. 

The law of contradiction applies to non-atomic core events analogously: 

{AKB)AA = {BA A) a a = False , (4.40) 

AA{AKB) = AA{BKA) = False , (4.41) 

or, more generally, 

K 1 AK 2 A ... A Kn = False , (4.42) 

if there is at least one atomic event X which is part of two or more core events K, i.e. if 
3 (X G Ki) A (X G Kj) for i,j G {1, 2,..., n} and i / j. 

An example: {AAB)AcA{AADAE) = False, as {AaB) and {A A DAE) both contain 
the same atomic event A. 

4.2.4 Temporal Law of Idempotency 

A new temporal law of idempotency may be derived from the laws of completion and the law 
of contradiction. The temporal law of idempotency applies only to the SAND operator. From 
(4.37) and (4.38) and the Boolean law of idempotency in (4.33) follows that 

A A A = (A A A) V (A A A) V (A A A) = False V (A A A) V False and 
A A A = A , and therefore 

A A A = A . (4.43) 

4.2.5 Temporal Law of Commutativity 

A temporal law of commutativity (or commutation) applies only to the SAND operator, as 

AAB = BAA, (4.44) 

but not for the PAND operator, as 


AaB B aa . 


(4.45) 
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4.2.6 Temporal Law of Associativity 

The SAND operator also has the property of associativity; thus 

AK{BKC) = AKbKC = {AKB)KC . (4.46) 

The PAND operator, on the other hand, is only left-associative, as in 

{AaB)aC = AaBaC^Aa{BaC). (4.47) 

4.2.7 Further Temporal Logic Laws 

There are two more temporal laws with special significance: 

AA{BAC) = {AaB)AC and 

AAiBAC) = BA{AAC) . 

Examples illustrating the laws of temporal TFTA logic 

The correctness of these two laws is demonstrated using three different graphical methods: 

• Table 4.2 (page 36) shows correctness of (4.48) and (4.49) using truth tables similar to 
the ones known from Boolean logic. The main difference is, that in the temporal logic all 
possible event sequences have to be taken into account. 

• Figure 4.8 shows sequential failure trees for (4.48) and (4.49), see page 34, which are well 
suited to verify and visualize temporal expressions. 

• Finally, figure 4.9 shows the correctness of (4.48) and (4.49) using timing diagrams, see 
page 35. 

The number of entries, i.e. rows, in the truth table equals the number of nodes in the sequential 
failure tree. Indeed, one can use sequential failure trees in order to simplify the process of 
creating the truth table. Timing diagrams, on the other hand, are well suited for specific checks 
of more complex temporal expressions. 


(4.48) 

(4.49) 
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aA{bac) = {Aab)ac aa{baC) = bA{aaC) 



Figure 4.8: Sequential failure trees for (4.48) and (4.49), which show their correctness. 

From left to right and from top to bottom: A, B, C, BaC, AaB, AaC, 

aa(bac) = (aab)ac, aa(bAc) = bA(aac). 
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A7\{B%C) 

{AaB)7\C 


AA{B7\C) 

B7\{AAC) 

^ B ^ C 

False 

False 

^ A^ B ^ C 

False 

False 

^ B ^ C A A 

False 

False 

^ B ^ C A A 

False 

False 

^ A^ C A B 

False 

False 

^ A^ C A B 

False 

False 

^ A^ B A C 

False 

False 

^ A^ B AC 

False 

False 

^ D A (A A B) 

False 

False 

^ C A (A A B) 

False 

False 

^CA{BAA) 

False 

False 

^ D A {B A A) 

False 

False 

^ C A (A A B) 

False 

False 

^ C A (A A B) 

False 

False 

B A (A A C) 

False 
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^ba{Aa C) 
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B A (C A A) 

False 

False 

^ B A (D A A) 
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B A (A A C) 
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^ B A (A A C) 
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^ A A {B A C) 
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^ A A {B A C) 
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^ A A {C A B) 

False 
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^ A A (C A B) 
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^ A A {B A C) 
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aKbKc 
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aKbKc 
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False 

BKAKC 
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False 
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B7\C7\A 

False 

False 
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False 

False 
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B7\{AAC) 

True 

True 

C7\{AAB) 

False 

False 

C7\{AAB) 

False 

False 

{AAB)7\C 

True 

True 

(AAB)KC' 

False 

False 

{AAC)7\B 

False 

False 

(AAC')7\B 

False 

False 

{BAC)7\A 

False 

False 

{BAC)7\A 

False 

False 

AABAC 

False 

False 

AABAC 

False 

False 


Table 4.2: Truth table which demonstrates that (4.48) (left side) and (4.49) (right side) are 
correct. Including SAND connections, there are 26 possible sequences. Logical equiv¬ 
alence of both expressions is shown as in both cases all possible sequences yield 
identical results. 
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4.2.8 Temporal Operations with Negated Events 

Remark: The statements below exclusively relate to atomic negated events. Specialities of 
non-atomic negated events are covered from page 40 on. 

4.2.8.1 How to Interpret Negated Events in TFTA 

In the TFTA, as well as in the conventional FTA, a non-negated event represents a failure of a 
real element, e.g. a component. Therefore, a negated event represents the “not-failing” of a real 
element. 

There are two possible interpretations for “not-failing”: 

1. An element, that has failed before, is repaired. The “not-failing” is an “un-failing”, a 
transition from one state (failed) to another (repaired), and thus is an action. 

2. An element has not yet failed and is still operational. The “not-failing” is a state. 

The temporal logic, as discussed in this theses and applied to the TFTA, relies on the assumtions 
of monotony of the temporal failure function as well as non-repair ability of elements. 

At first, at time t = 0, all elements (components) are operational. Failures occur at times 
t > 0 and are represented in the temporal fault tree by (non-negated) failure events Aj. The 
latter “switch” from False to True at times txi > 0. Moreover, all elements are non-repairable. 
Failure events that occurred (became True) at tXi stay True. 

Two things follow for negated events: they are True until tXi and then become False] and 
they cannot become True again after tXi- Thus, a negated event in the TFTA 

-.Y, = (4.50) 

I False in [tXi ; oo [ , 


with txi > 0. 

Therefore, the first interpretation of the meaning of negated events in the TFTA is to be 
rejected; in the TFTA negated failure events represent elements, that have not yet failed. 

4.2.8.2 Using Negated Events in TFTA 

Negated events are used in two different ways within the TFTA; these are comparable to the 
two ways of using negated events in Boolean FTA. 

1. Even if there are no NOT gates used explicitly in the fault tree, the temporal failure 
function may get negated events from logical transformations. For instance, the trans¬ 
formation of temporal expressions that are not mutually exclusive (not disjoint) into a 
disjoint form requires usage of negated events. 

2. NOT gates in the fault tree model allow explicit modelling of negated events. Such 
negations of basic events or non-atomic events (subtrees) are then input to other higher- 
level fault tree gates. Accordingly, the failure function then includes negated events. 
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Negated Events Resulting From Logic Replacements 

In the Boolean FTA non-disjoint expressions are transformed into a disjoint form using negated 
events [34, 80, 81]. Thereby, negated events only occur within conjunctions (AND connected 
terms) in combination with at least one non-negated event. The assumtion of monotony is 
not invalidated, because events are not substantially meshed by this transformation (the topic 
of substantial meshing is discussed in [7]). Moreover, none of the transformation laws of the 
Boolean logic introduce new negated events - de Morgan’s theorems only discuss transformation 
of existing negated events. 

The temporal logic of the TFTA also uses negated events for the transformation into a disjoint 
form, see chapter 4.3. But other than the Boolean logic, there are temporal transformation laws, 
specifically the temporal distributive laws in chapter 4.2.10, that do introduce negated events. 
These negated events only occur within conjunctions, though, and in combination with at least 
one non-negated event. In doing so, the assumption of monotony is not invalidated. 

Using Negations Explicitely in Fault Trees 

This kind of usage of negated events is restricted to cases where no substantially meshed negated 
events are used in order to not invalidate the assumption of monotony, see [7]. Usually, this is 
limited to special use cases, e.g. if the results of one of the temporal laws of transformation (see 
above) shall explicitly be modelled with a temporal fault tree. 

In general, TFTA statements like, e.g., 

• “A has not failed yet, before B has not failed yet”, i.e. -■ A A —<8, or 

• “A and B have simultaneously not failed yet”, i.e. -■ A A ^ B, or 

• “A has failed, because B has not failed yet, or C has failed”, i.e. A = ^B\/ C, 

are neither logically meaningful nor allowed in TFTA. Thus there is no necessity to use negated 
events explicitly as inputs to PAND or SAND gates, or to use them in combination with non- 
negated events as inputs to OR gates. 

On the other hand, it is indeed permitted to model logical statements like ^ A/\B explicitly 
within the fault tree, if - and only if - the assumption of monotony still holds. 

4.2.8.3 Rules of Replacement for Negated Events in the Temporal Logic 

The law of completion from (4.37) must not be used on expressions where at least one of the 
operands of the conjunction (AND connection) is a negated event. 

Therefore, the application of the other temporal laws of transformation also does not lead to 
negated events being input to PAND or SAND operators. In case of the temporal distributiv 
laws all negated events are part of conjunction terms, see chapter 4.2.10. Furthermore, this 
leads to the conclusion that the Boolean logic rules may be used for handling of negated events, 
see chapter 4.2.1. 

Special considerations are necessary for “mixed expressions” where negated events and tem¬ 
poral expressions are both part of the same conjunction. There are 

-'Aa(. ..AAA...) = False , 

- 1 A A (... A (A A ...) A ...) = False , 

{^aab)ac= [^aa{baC)]t[{baa)ac] = 


and 


(4.51) 

(4.52) 
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= [^AAiBAC)]v[BAAAC]v[BA{AAC)] , (4.53) 

{^AAB)AC = [^AAiBAC)]v[BAAAC]v[BA{AAC)], (4.54) 

{^AaB)AC = ^Aa{BAC) , (4.55) 

CA{^AaB)=^Aa{CAB). (4.56) 


Equation (4.53) shows the one main difference between temporal and Boolean logic with regards 
to usage of negated events. 

In the Boolean logic the law of associativity from equation (4.31) also applies to negated 
events. But in the temporal logic negated events have a “period of validity”, which is expressed 
by brackets. For instance, (^AaB) AC denotes two things: first, that at the point in time, at 
which event B occurs, event A has “not yet” occurred, and second, that C has occurred; but there 
is no separate statement on the timing relationship between C and the others. On the other 
hand, ^AA{BAC) expresses timing relationships between all three events; this expression 
denotes that at the point in time, at which “i? and C” occurs, the event A has not yet occurred: 



In particular, this also affects temporal expressions of the following type: 


{—> A A B) A A = —tAAiyBAA') = False , 

Aa{^AaB) = -^Aa{AaB) = False , 

{^AaB)aA= [-^Aa{BaA)]v[BaAaA]v[BA{AAA)] = 
= False V False \/ [B A A] = BA A . 


(4.57) 

(4.58) 

(4.59) 


Chapter 4.3.2.2 discusses why and how these expressions are “temporally (non-)minimal”. 
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4.2.8.4 Conjunction of Negated Events 

The above discussion did not include conjunctions consisting of more than one negated event, 
as e.g. in 

^A^B = -nAA^B . (4.60) 


-^A^B = -^AA^B . (4.60) 

When applied to the TFTA, such conjunctions are interpreted as undividable entities; the rules 
for transformation and handling of negated events, as given above, apply to those entities 
analogously. 

From this follows that 


'Aa{—'Bac) = {—'A—iB)ac. 


(4.61) 


4.2.8.5 Temporal Laws of Negation, i.e. Negation of Non-Atomic Negated Events 

So far, all statements regarding negated events have applied to atomic events (basic events) 
only. Additional aspects have to be considered in case of negated non-atomic events, as e.g. in 
“'(A A B). 

The Negation of Boolean non-atomic expressions like ^(AaB) or -^{Ay B) is done using 
de Morgan’s theoremes in (4.35). The negation of SAND and PAND connected expressions can, 
for example, be deduced from figure 4.2; it yields: 

-^{A A B) = (— 1 A —1 i?) V (“ 1 S A A) V (“ 1 A A i?) V (i? A A) V (A A i?) and (4.62) 

-^{AAB) = {^A^B)y{^BAA)y{^AAB)y{AAB)y{BAA) . (4.63) 

On the right hand side of the equations all terms are mutually exclusive (disjoint) and carry 
explicite (temporal) statements to all events involved, see chapter 4.3.3. 

In TFTA such non-atomic negated expressions can only exist as part of a conjunction ex¬ 
pression together with non-negated events. As such, they describe a system state where at a 
specific point in time a specific event sequence has “not yet” occurred. The right hand sides of 
(4.35) and (4.62) and (4.63) represent the different possibilities how this specific system state 
was reached. 

An example: the temporal expressions —<{AaB) AC represents a state in which at the time 
of occurrence of C the event sequence AA B has not occurred. This implies either that at the 
time of occurrence of C 

• neither A nor B have occurred - therefore A ^B) AC - 

• or A has occurred, but B has not ~ therefore ^B A{AaC) - 

• or B has occurred, but A has not - therefore ^Aa{B AC) - 

• or B has occurred before A has occurred ~ therefore {BA A) AC ~ 

• or A and B have occurred simultaneously - therefore {AaB)AC . 

The first temporal law of negation is thus given as 

^{aab)ac = [{^A^B)AC]y[^BA{AAC)]y[^AA{BAC)]y 

V [(A AB)AC]y[{BAA)AC]. ^ ’ 

Analogously, the second temporal law of negation is given as 

^{AAB)AC = [(-A-.B) AC] V [-BA (A AC)] V [^AA(BAC)] V 

V [(BAA) AC] V [(AAB) AC] . 


(4.65) 
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4.2.9 True and False in Temporal Logics 

Operations with the “timeless” expressions True and False should only be found in TFTA 
expressions, if a more complex temporal expression was reduced to True or False in a proceeding 
transformation step. 

If X and X ^ True themselves are not negated, then 

A A True = False , A A True = False , True AX = X , (4.66) 

X A False = False , X A False = False , False A X = False . (4.67) 

Furthermore, 

True A True = False , True A True = True , False A True = False . (4.68) 

Given these rules, consistency to the Boolean logic rules, which are, of course, still valid, is 
obtained; thus, 

A A True = (A A True) V (A A True) V (True AX) = True A A = A , 

A A False = (A A False) V (A A False) V {False A X) = False A A = False . 

4.2.10 Temporal Distributive Laws 

Boolean logic has the distributive law as given in (4.32). Combined with the Boolean operators’ 
property of associativity, see (4.31), this yields 

{AV B)AC = C A{BV A) ={AAC)V{BAC) = (C A B)V {C A A) . (4.69) 

This distributive law is vital to the transformation of Boolean expressions into a disjunctive 
normal form (DNF). 

Very similar, the SAND operator of the temporal logic also has the property of associativity; 
therefore, the temporal laws of associativity and commutativity apply, see (4.44) and (4.46). 

On the other hand, the PAND operator obviously lacks a law of commutativity, see (4.45); 
reason for that is that this operator “transports” a great part of its logic information in the 
sequence of events. 

Therefore, at least the following has to be differentiated for something like a PAND’s distribu¬ 
tive law: 


AA{B\/ C) , so-called type/, and (4.70) 

{Ay B)aC , so-called type//. (4.71) 

The following two sections discuss temporal distributive laws, first for PAND operators and 
expressions of type I and II, followed by the temporal disributive law for SAND operatos; for 
the latter, no further discrimination of types is necessary. 

4.2.10.1 Distributive Law for PAND-OR Expressions of Type I 

The logic statment of expression Aa{B\/C) is: “A must occur, before the expression in brackets 
{B V C) occurs”. This is not equivalent to the logic statement “A must occur before B, or A 
must occur before C”, as proven by table 4.3 and figure 4.10: 

aa(5vC) / (aab) v(aaC) , 


(4.72) 
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and thus there is no simple temporal distributive law for expressions of type I. 

In fact, the expression on the left hand side of (4.72) makes no explicit statement on temporal 
dependencies between events B and C; but is does include an implicit temporal dependency 
between B and C. This temporal dependency not so much affects the occurrence of (further) 
events, but the non-occurence of A A (5 V C) if one of the events B or C occurs before A. This 
implicite dependency is lost in the right hand side of (4.72). 

This problem is solved by explicitely stating the temporal dependencies which are only implied 
by the left side of (4.72). 

The relevant expressions [B V C) splits into five possible sequences: 

{B\J C) = {^CAB)\J {^BAC)\J (BAC)\J {CAB)\J {BTC) . 

Only three of these sequences are minimal failure sequences, see figure 4.10 (left side): 

{B\J C) = {^C TB)\J {-^B TC)\J {BTC) . (4.73) 

Inserting this into (4.70) yields for temporal expressions of type I, that 

AA{B\JC) = AA[{^C TB)\J {^B TC)\J {BTC)] . (4.74) 

At this point non-minimal sequences need not be considered. The OR connected terms in 
brackets are on the right hand side of the PAND operator, and thus occur “later”; all non- 
minimal terms then occur “later still”. They are covered by the minimal sequences. 

Now, with all temporal dependencies explicitly stated, a distribution of the expression is 
possible, thus 

aA{b\jc) = [aA{^ctb)] V [aA{^btC)] v [aA{btc)]. ( 4 . 75 ) 



AA(BVC') 

{Aab)v{Aac) 


AA(BVC') 

{Aab)v{Aac) 

^ B ^ C 

False 

False 

ATbTC 

True 

True 

^ B ^ C A A 

False 

False 

bTaTc 

False 

True 

A^C A B 

False 

False 

aTcTb 

True 

True 

B AC 

False 

False 

cTaTb 

False 

True 

A {A A B) 

True 

True 

bTcTa 

False 

False 

A {B A A) 

False 

False 

CTbTA 

False 

False 

-^C A {A A B) 

False 

False 

AT{BTC) 

True 

True 

B A {A A C) 

True 

True 

BT{ATC) 

False 

False 

B A {C A A) 

False 

False 

CT{ATB) 

False 

False 

B A {A A C) 

False 

False 

{ATB)TC 

False 

True 

-^aa {b a C) 

False 

False 

{ATC)TB 

False 

True 

-^aa {c a B) 

False 

False 

{BTC)TA 

False 

False 

^ A A {B A C) 

False 

False 

ATBTC 

False 

False 


Table 4.3: Truth table for expressions At{B\/C) and {AtB)\/{AtC). Including SANDs 
there are 26 sequences, which are divided into two groups of 13 each. As both 
expressions do not yield same results for all sequences (see deviations in bold), both 
expressions are not equivalent. 
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□ □□ 







□ □ 


Figure 4.10: Left side: Sequential failure tree for expression AA {B V C). Right side: Sequential 
failure tree for expression (AA B) V (AaC). On the right side there are additional 
sequences, as each of the two sub-expressions (AaB) and {AAC) does not make 
any statements about the occurrence of the missing third event. 


Further transformation of this according to chapter 4.2.8 then leads to the distributive law for 
temporal expression of type I: 

AA{B\JC) = [^Ca{AAB)] V [^Ba{AAC)] V [AA{BAC)] . (4.76) 

The distributive law for temporal expression of type I therefore requires explicit statements on 
the (non-)occurrence of all of the relevant events, and requires such statements in every sub¬ 
expression which is OR connected. Statements with that property are called temporal minterms 
in analogy to Boolean minterms. 

If the temporal laws of negation are applied, (4.76) holds for the case of non-atomic events 
A, B, C, too. 

Terms on the right side of (4.76) are mutually exclusive (disjoint). This simplifies later 
probabilistic quantification, see chapter 5. 

Simplification if Terms are Disjoint 

The relationship in (4.76) also holds for the special case of disjoint events B and C, i.e. B L C. 
But B L C implies that each of the events B or C occurs only if the other event does not occur 
and has not yet occurred. Then, (4.76) may be simplified to 

AAiBvC) = [AAb]v [AAC] , (4.77) 

if B LC. 

4.2.10.2 Distributive Law for PAND-OR Expressions of Type II 

The logic statment of expression {AV B)AC is: “the expression in brackets {A V B) must occur 
before C occurs”. This is equivalent to the logic statement “A must occur before C, or B must 
occur before C”, as proven by the sequential failure trees in figure 4.11, which correspond to the 
three expressions (AV B) A C, (A A C), and {BAC). 

Therefore, the distributive law for temporal expressions of type II is given as 

{A\J B)AC = {AAC)\J {BAC) . (4.78) 

On the other hand, figure 4.11 also shows that {AAC) and (BAC) are not mutually exclu¬ 
sive. The joint sequences, which are part of both expressions, are easily found by building the 
intersection, thus 

{aAc) a{bAc) = {aab)Ac = [aAbAc]v [bAaAc]v [{aab)Ac] . 
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Figure 4.11 denotes these sequences with 


{A AC) (BAC) 



-k ir lAr lAr lAr -k 


{avb)ac = {aaC)v{baC) 



Figure 4.11: Distributive law for temporal expressions of type II: the sequential failure trees of 
(AV B)AC, (AaC), and [B A C) show that {A A C) and {B A C) are minimal but 
not mutually exclusive (disjoint); joint sequences are marked with *. 


4.2.10.3 Distributive Law for SAND-OR Expressions 

The logic statment of expression A A {B \/ C) is: “yl must occur simultaneously with the expres¬ 
sion in brackets (B V C)”. In analogy to the distributive law for temporal expressions of type 
I it is easily shown that this is not equivalent to the logic statement “A occurs simultaneously 
with B, or A occurs simultaneously with C”, as proven by figure 4.12. In consequence, there is 
also no simple temporal distributive law for SAND-OR expressions. 

Instead, the temporal distributive law for SAND-OR expressions looks similar to (4.76) and 
is given as 


aa{bvC) = [-^c a{Aab)]v [-^b a{AaC)]v [aab ac] . 


(4.79) 
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Figure 4.12: Left side: Sequential failure tree for expression AK {B \/ C). Right side: Sequential 
failure tree for expression (A A B) \/ (A AC). On the right side there are additional 
sequences, as each of the two sub-expressions (AaB) and (AaC) does not make 
any statements about the occurrence of the missing third event. 

Simplification if Terms are Disjunct 

The relationship in (4.79) also holds for the special case of disjoint events B and C, i.e. B L C. 

But B L C implies that each of the events B or C occurs only if the other event does not occur 

and has not yet occurred. Then, (4.79) may be simplified to 

AA{BVC) =[AAB]v[AAC] . (4.80) 


if B ±C. 

4.2.11 Temporal Laws of Absorption 

In analogy to the Boolean laws of absorption in (4.34), there are temporal laws of absorption, 
as well. Initially, it may seem that there are several temporal laws of absorption for different 
numbers of events involved; this intuition come mainly from the permutations that need to be 
taken into account when analysing event sequences. On the other hand, it can be shown that 
the temporal laws of absorption really are specializations of the Boolean laws of absorption in 
(4.34): 

Starting with the most simple case with only two events involved, the temporal laws of 
absorption may be derived from (4.34) by using the law of completion in (4.37); this yields 


Ay {AaB) = A = Av[(AaB)V(AaB)V(BaA)] , (4.81) 

which may then be further transformed into 

Ay{AAB) = A, (4.82) 

Ay{BAA) = A, (4.83) 

Ay{AAB) = A. (4.84) 


The more “general” event A absorbs the more “concrete” event, if the latter is a subset of A] this 
is the same for Boolean and temporal logic. In general, if ES is an (extended) event sequence, 
then 

AyES = A , if A (t ES, i.e. ES C A . (4.85) 

This relation also holds for non-atomic events A. Other than in the Boolean logic, with more 
complex temporal expressions it is increasingly difficult to spot subsets. There are two major 
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reasons for that: the PAND operator has no law of commutativity; and the invention of core 
events allows for nested events. 

For instance, temporal law of absorption for three events are given as 


{AAB)V{AABaC) = AAB , (4.86) 

{AAB)V{AACAB) = AAB , (4.87) 

{AaB)V{CaAaB) = AaB, (4.88) 

{AaB)V{{AAC)AB) = AaB, (4.89) 

{AaB)V{{AaB)AC) = {AaB)V{Aa{BAC)) = AaB . (4.90) 

Indeed, (4.86) to (4.90) are simple reformulations of 

{AAB)y{{AAB)AC) = {AAB), (4.91) 

as demonstrated by the following transformation: 

{AAB) AC = [{AAB)AC]t[{AAB)AC]t[CA{AaB)] = (4.92) 


= [aabac]v[aa{baC)]v[aacab]v[caaab]v[{aaC)ab] . 

Taking this concept one step further, the general temporal laws of absorption may then be given 


in complete analogy to its Boolean counterpart as 

ESi V ESj = ESi for ESj C ESi . (4.93) 

The same holds true for the second Boolean law of absorption from (4.34); its temporal version 
reads as 

Aa(AvB) = [-^BA{AaA)]v[-^Aa{AaB)]v[Aa{AAB)] = Ealse , (4.94) 

{AvB)aA = {AaA)V{BaA) = BaA , (4.95) 

AA{AV B) = [-^B A{AAA)]v [-^Aa{AAB)]v [AA{AAB)] = 

= {^baA)v{aab) . ^ ’ 


Allthough initially not very intuitive, these results are correct, as demonstrated by the following 
transformation: On the one hand, 

[A A (A V B)] V [(A V B) A A] V [A A (A V B)] = A A (A V B) = A . 

And on the other hand, (4.94) to (4.96) yield 

[A A (A V B)] V [(A V B) A A] V [A A (A V B)] = {BaA)V{^BaA)V{AAB). 

Furthermore, -<BaA covers the non-minimal sequence AaB, thus providing 

[A A (A V B)] V [(A V 5) A A] V [A A (A V .B)] = {BaA)V{^BaA)V{AAB) = 

= {^BaA)V{AaB)V{AAB)V{BaA) = {^B AA)V {aab) = A . 

These transformations illustrate that (4.94) to (4.96) really are only specializations of the 
Boolean laws of absorption. 
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4.2.12 Temporal Law for Intersections 

The introduction of PAND and SAND operators into the temporal TFTA logic leads to expres¬ 
sions like A A {AA B), B A {AA B), or AA{AaB). Such expressions are not easily covered by 
the temporal laws of absorption, as in their case, and other than in case of the laws of absorp¬ 
tion, see above, the more “general” expression does not absorb the more “concrete” expression. 
Therefore, a new temporal law for intersections is proposed. 

The temporal law for intersections describes conjunctions of two expression, one of which is 
an intersection of the other. In the Boolean case, this can be solved by applying the laws of 


associativity and idempotency: 

Aa{AaB) = AaAaB = AaB. (4.97) 

In the temporal case, three different settings have to be considered: 

Aa{A~/\B) = {AAB) AA = AAB , (4.98) 

BA{AaB) = {AAB)AB = AaB , (4.99) 

Aa{AAB) = {AAB) A A = (BAA) A A = A A {BA A) = AAB . (4.100) 


Correctness may be easily demonstrated using the temporal logic laws provided above. For 
instance, 

aa{aab) = [aa{aab)]v[aa{Aab)]v[{Aab)aa] = 

= {AaA)AB\/ False V False = A AB . 

The same holds true for more general cases with more complex expressions, as in 

XiA ...A Xj A {...A Xi A ...) = Xj A (... A Aj A ...) and (4.101) 

XiA ...AXjA{...AXiA ...) = XjA{...AXiA ...) , (4.102) 

as well as for expressions that include intersections with non-atomic core events, i.e. 

XiA ...AXjA{...A{XiA ...)A ...) = {.. .AXj A{XiA .. .)A ...) . (4.103) 

In general, the temporal law for intersections is therefore given as: 

ESiAESj = ESj for ESj C ESi . (4.104) 

4.3 Minimal and Disjoint Forms of TFTA Temporal Expressions 

4.3.1 Minimal and Disjoint Forms of Boolean Expressions 

This chapter discusses two properties that TFTA temporal expressions may have. Temporal 
expressions which are minimal or mutually exclusive (disjoint) have special meaning and impor¬ 
tance within the TFTA’s temporal logic; in this they are similar to the Boolean FTA. In both 
cases, the Boolean as well as the temporal, any logic expression can be transformed into “sum 
of product” forms, i.e. DNF or TDNF, respecively, by using the laws of transformation given in 
chapter 4.2. 

In general, these cutsets (Boolean case) or event sequences (temporal logic) still include 
redundant information. Therefore, further transformation into a minimal sum of products form, 
i.e. minimal cutsets and MCSS, respectively, is necessary and provides an even more useful 
representation of the (temporal) failure function. 

For further probabilistic calculation it is then helpful to transform this minimal form into a 
minterm form, where all minterms are mutually exclusive (disjoint), see chapter 4.3.3. 
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Disjunctive Normal Form (Sum of Products) 

Boolean expressions ip are transformed into a DNF by applying the laws of Boolean algebra; in 
DNF 


ip = 


ys, 


f = 1 




(4.105) 


where C denotes the number of cutsets S of ip, which are not necessarily already minimal, and 
rij denotes the number of events X which constitute Sj. 


Minimal DNF 

In a next step, the cutsets S of Boolean expressions ip are minimal, if none of the cutsets 
“includes” another. If so, they are called minimal cutsets and are denoted with MS for better 
discrimination. Using the laws of Boolean algebra from chapter 4.2.1, (monotone) Boolean 
expressions as in (4.105) can be transformed into a minimal form, where 


ip = 



V(A'^j.<) 


(4.106) 


where ^ < C- 

Each of these ^ minimal cutsets MSj and MSj/ with j,j' G {1,2,...,^} and f ^ j are 
pairwise mutually exclusive: 


MSj A MSj> / MSj und MSj A MSj> / MSj^ . (4.107) 


Simplifying Quantification By Using Disjoint Terms 

In many cases it is helpful to transform logic functions into a equivalent form which is specifically 
well suited for a certain task. For conventional fault trees the minimal cutset form of a system’s 
failure function according to (4.106) is, for example, especially illustrative and well suited for 
qualitative analyses; on the other hand, the form below is equivalent but much less easy to 
understand: 

\/{MSr A -(M5,)) . (4.108) 

j=l i=l 

This form aids probabilistic analyses because of its mutually exclusive (disjoint) OR connected 
terms; see chapter 5 for details. 

In general, two Boolean expressions ipi and ip 2 are mutually exclusive (disjoint), if their 
conjunction yields False: 

ipiAip 2 = False ipi T ip 2 ■ (4.109) 


4.3.2 Minimal Temporal Expressions 

Minimalism of temporal logic expressions parallels the Boolean case. Temporal logic expres¬ 
sions are minimal, if they “do not include each other”. In the temporal logic special care is 
necessary, though, because of three differences compared to the Boolean case: first, their are 
other and additional logic operators; second, negated events have special meaning; third, prop¬ 
erties of commutativity and associativity are restricted. Moreover, temporal expressions can be 
structurally non-minimal as well as temporally non-minimal, see chapters 4.3.2.1 and 4.3.2.2, 
respectively. First some groundwork has to be laid, though. 
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Minimal Temporal Failure Function 

Using the temporal transformation laws from above, temporal expressions zu may be trans¬ 
formed into a TDNF, which is similar to the Boolean DNF. For readability, (4.16) is repeated 
here: 

C 

w = \l ESj = E5i V E52 V ... V ESi^ . (4.110) 

i=i 

C, denotes the number of event sequences ES in lu, which need not to be minimal at this stage. 

Then, the corresponding minimal form consists of ^ minimal cutset sequences (MCSS), which 
are OR connected: 

w = \l MCSSj = MCSSi V MCSS2 V ... V MCSS^ , with^ < ( ■ (4.111) 

i=i 

Condition of Minimality 

In the temporal logic “minimal” also means, that none of the MCSSj “covers” or “includes” any 
other MCSSj' (where j,j' G { 1 , 2 ,... ,^} and j' / j). 

The sections below show that the criterion for temporal expressions being minimal is very 
similar to the Boolean criterion in (4.107). 

Event sequences are minimal, if all pairs of MCSSj and MCSSj' with j,j' G { 1 , 2 ,..., ^} and 
j' 7 ^ j follow 

MCSSj'MCSSj ^ MCSSj A MCSSj' ^ MCSSj' and (4.112) 
MCSSj MCSSj' ^ MCSSj A MCSSj' ^ MCSSj . (4.113) 

For this relation a new operator is introduced: 

MCSSj I MCSSj' (4.114) 

implies that MCSSj and MCSSj' are minimal. 

One difference to the Boolean case is that writing temporal expressions in their TDNF form 
usually requires the use of negated events; this comes from the temporal distributive laws, see 
chapter 4.2.10, and requires a discussion on minimal temporal expressions with negated events. 

4.3.2.1 Structurally Non-Minimal Temporal Expressions 

Temporal expressions are structurally non-minimal, if one of them is a special case of the other 
expression. Structurally non-minimal expressions may be transformed into a minimal form by 
applying the temporal laws of absorption (chapter 4.2.11) and the temporal law for intersections 
(chapter 4.2.12). 

4.3.2.2 Temporally Non-Minimal Temporal Expressions 

Beyond the structural aspect of non-minimality there is the question of minimality in temporal 
expressions like 


{^BAA)V{AAB) . 


(4.115) 


Checking for minimality according to (4.113) shows that these two terms are not minimal. 
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From 


{^BaA)A{AaB) (4.116) 

follows with (4.53), that 
{^BAA)A{AAB) = 

= [-^BA{Aa{AAB))]v[{AAB)A{AAB)]v[AA{BA{AaB))]. (4.117) 

The first sub-expression on the right side is then reduced by applying (4.51), which yields 

^BA{Aa{AaB)) = -^BA{AaB) = False . (4.118) 


The second sub-expression is then also reduced to False by applying the temporal law of con¬ 
tradiction, see (4.38). Then, the remaining 

{^B AA)A{AAB) = AA{BA{AaB)) = Aa{AaB) = AAB (4.119) 

^BAA a AAB = AAB 



does not satisfy the minimality condition from (4.113). Therefore, (4.115) is not minimal, which 
is also shown by the sequential failure trees, as the sub-expression AAB consists only of such 
expressions that are non-minimal with regard to -<BaA. Thus, the minimal form ist given as 
-< BAA, which “covers” the second term AaB. 


Generalization 

The example from above may be generalized with the laws of transformation for negated events 
from chapter 4.2.8.3. From (4.59) follows -^X AES with X ^ ES is temporally minimal to all 
temporal expressions with ES occuring before X, i.e. ES AX. 

As (- 1 A A ES) V {ES A X) with X ^ ES is non-minimal because of the temporal sequence of 
the events, this effect is called temporal non-minimality. 


Two More Examples 

(-1 S A A) V (C A A) is already given in minimal form, as (4.53) and (4.113) hold: 



(4.120) 


The sequential failure trees prove that each of the expressions includes failure nodes, which are 
unique to this expression and not part of the other. 

However, ^B A A is the minimal form of all such event sequences that include A but not 
BA A, i.e. (without SAND) -iHA(AaC'), -'C'A(AaH), AaBAC, AaCAB, and CaAaB. 
Exemplarily, this is shown with one of these expressions: 

{^baA)a{aacab) = [^H(AAA(AaCAH))] V 

V [A A H A ((A A C A H) A A)] V 

V [A A (HA (A AC AH))] = 

= False V False VAa(AaCAH) = AaCAB . 


(4.121) 
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As the sequential failure trees show, (4.113) is not complied with; and B A A) V (AA C A B) 
is, thus, non-minimal. 

4.3.3 Disjoint Temporal Expressions 

Minimal temporal expressions are not necessarily also mutually exclusive (disjoint). For ex¬ 
ample, the failure function w = B A A) V (C A A) is given in minimal form. But the two 
event sequences ^BAA and CAA are not mutually exclusive; instead, -^B A {C A A) is an 
intersection, see (4.120). 

The sections below discuss mutually exclusive temporal expressions and a method for trans¬ 
forming them into mutually exclusive temporal expressions. 

4.3.3.1 Condition for Disjointness 

In analogy to chapter 4.3.1, two temporal expressions are mutually exclusive (disjoint), if their 
conjunction (AND connection) yields False, i.e. if there is no intersection between them. When 
illustrated by sequential failure trees, disjoint temporal expressions do not have any failure nodes 
in common. In the following example, a temporal expression has three disjoint sub-expressions: 


(aAbAc) V (bAaAc) V {cAa) 



Thereby, 

(AAbAC) A{BAaAC) = False , 

(AAbAC) A{CAA) = False , 

{BAaAC)A{CAA) = False . 

On the other hand, there are intersections in the following example: 

{AAB) a (AAC) = ... / False , 



as 

{aAb)a{aAc) = [(aab) a(aaC)] V [(aab) a(aaC)] V [(aaC) a(aab)] = 

= [aAbAc]v [aA{bac)]v [aAcAb] . 

4.3.3.2 Structurally and Temporally Disjoint Temporal Expressions 

In the TFTA’s temporal logic there are two types of disjointness: 

1. An event can not be True and False at the same time. Therefore and in analogy to the 
Boolean logic, two expressions are disjoint, if one of them includes a non-negated event and 
the other expression includes the negation of the same event. For instance, ^AaB and 
AAB are mutually exclusive (disjoint). In general, this type of disjointness is expressed 
in (4.51) and (4.52). 
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2. Other than Boolean expressions, temporal expressions can be mutually exclusive because 
of the possibility of temporal contradictions. Following from the temporal laws of comple¬ 
tion and the temporal law of contradiction (see chapter 4.2.2 and 4.2.3, respectively), two 
temporal expressions are disjoint, if the same events are included in both, but in different 
sequences. Therefore, BAA und AaB are, e.g., disjoint without any negated events. 

In both cases the lack of any intersections indicates that the expressions are mutually exclusive. 
Therefore, the condition for disjointness from chapter 4.3.3.1 is applicable for temporal as well 
as Boolean expressions, see (4.109). And in consequence, temporal and Boolean expressions do 
not differ significantly regarding being mutually exclusive. 

4.3.3.3 Disjoint Separation Using Temporal Minterms 

Temporal minterms are event sequences, which consists of all u parameters of a temporal logic 
function of size u, and each parameter is included exactly once. 

Temporal minterms are used in order to split a temporal expression into disjoint event se¬ 
quences. In this form they are especially well suited for later probabilistic quantification. See 
chapter 4.3.1 for further background. 

These expressions may be deduced using a method which is similar to Shannon’s segmentation 
for Boolean expressions: 

1. The relevant temporal function w with u different parameters has to be given as TDNF. 
If not, VD is transformed into a TDNF using the temporal logic laws from above. 

2. The first event sequence is chosen: ES = ES\. 

3. If ES consists of all u parameters, goto step seven. 

4. Choose the first parameter X which is missing in ES. 

5. ES is then transformed into its disjoint form by using 

ES ESAi^XVX) = {^XAES)V{XAES) (4.122) 

6 . Repeat step five for each of the other parameters that are missing in ES. 

7. If the chosen ES is not the last event sequence in tu, choose the next event sequence ES 
and goto step three. 

8 . Check whether the resulting expressions are minimal by applying the transformation laws 
of the temporal logic and specifically the temporal laws of absorption. 

This method and workflow are shown on two examples in appendix A.3, see page 120. 

4.4 Simplification Using Extended Event Sequences and 
Extended TDNF and Extended MCSS 

Chapter 4.1.5.1 discussed “normal” temporal expressions and the temporal logic, which allows 
to transform temporal expressions w into their - possibly minimal and mutually exclusive 
(disjoint) - TDNF. The TDNF describes all the event sequences that lead to the occurrence of 
the TOP event; it is well suited for further qualitative cutset analyses, and it provides the basis 
for probabilistic quantification of the failure function. 
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4.4.1 Motivation and Requirements 

Allthough both of the TFTA’s goals from chapter 3.2 are met with these “normal” temporal 
expressions, their practical useability is limited because of the high number of resulting event 
sequences. For instance, the relatively simple temporal expression A7\ {B A C) A {D A E) already 
provides 32 different temporal minterms (chapter 5.5.2) - and that is without even taking SANDs 
into account. This combinatorial blow-up of the number of event sequences mainly stems from 
applying the temporal law of completion (see chapter 4.2.2). 

On the one hand, transformations according to the temporal logic are necessary for trans¬ 
forming complex expressions into manageable ones. On the other hand, clarity and readability 
of the results depend very much on the (low) number of such sub-expressions. 

It is, therefore, sensible to simplify a complex temporal expression only so far, as to obtain 
useable, and especially minimal, sub-expressions, while at the same time keep the number of 
such sub-expressions as small as possible. 

Thus, there are certain requirements on such a simplified temporal form: 

1. The simplified form shall also allow qualitative as well as probabilistic analyses. 

2. The simplified form shall also be able to provide temporal expressions in a normal form. 

3. Each of the event sequences of this normal form shall be minimal. 

4. Each of the event sequences of this normal form shall be directly quantifiable. 

5. For probabilistic quantification, the event sequences shall be mutually exclusive. 

The extended TDNF, as introduced in chapter 4.1.5.2, is one possibility to meet this require¬ 
ments. 

In extended TDNF temporal expressions consist of normal (atomic and non-atomic) core 
events as well as extended core events, such as 


eA = Ai AAsA ... . (4.123) 

Event sequences with extended core events are called extended event sequences, see the grammar 
of temporal logics in chapter 4.1.5. 

Using this form is useful, if all sequences of specific events contribute equally to the TOP 
event. The extended form combines these “real” events and reduces modelling effort, and allows 
concise presentation of temporal expressions. 

Without the extended form, temporal expressions are transformed in order to generate their 
TDNF consisting of event sequences only, which themselves consist of core events. Each core 
event stands for events which occur at a specific, though relative, point in time. An expression 
AA{BAC), for example, indicates, that an atomic core event A occurred before later both 
events B and C happened simultaneously. The event sequences indicates clearly, which event 
occurs when. 

Now, with the extended form, temporal expressions are transformed in order to generate their 
extended TDNF. The latter includes both, normal event sequences, consisting of normal core 
events, and extended event sequences, consisting of normal and extended core events. 

Extended core events indicate, that at a given point in time certain events have happend. An 
expression AA{B A C), for example, indicates, that an atomic event core event A has occurred 
before later events B and C have occurred. No statement is made on the real times at which 
the events B and C occurred that form the extended core event. The extended form neither 
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defines nor restricts the sequence between B and C] it solely describes a “latest possible” time 
for occurrence. 

Extended event sequences may contain more than one extended event sequence, as e.g. in 
{AAB)A{CAD). If events are included within the same extended event sequence more than 
once, then they need further transformation/simplification. 

On the other hand, it disagrees with the extended TDNF to combine several (extended) event 
sequences with an AND. Instead, further transformation/simplification is necessary first. For 
example, only the simplification of {AaB)AC according to the laws of temporal logic provides 
a correct extended TDNF: 

{aab)ac = [{aaC)ab]v[aa{bac)]v[aabac] . ( 4 . 124 ) 

4 . 4.2 Using Extended Temporal Expressions 

The decision for using the extended form is taken during qualitative transformation of the 
temporal failure function: 

• The Boolean distributive law gets priority over the temporal law of completion. 

• AND connections are not broken up, if the AND connected events 

— are event sequences without negated events and 

— are pairwise coprime as well as coprime to the rest of the (extended) event sequence 
which is currently looked at. 

In general, the temporal logic rules from chapter 4.2 and 4.3 apply to extended core events 
and extended event sequences, too. Extended core events are handled as entities, i.e. they are 
handled in analogy to normal non-atomic core events like Xi A X 2 A .... 

There are additional transformation laws specifically for the extended form. These laws are 
discussed in the following sections. 

Laws of Contradiction for Extended Event Sequences 

The law of contradiction for normal temporal expressions (chapter 4.2.3) does not directly 
apply to extended event sequences. An example: the expression (A Ai?) X {B AC) consists of 
two extended core events, which both include the same basic event B. This does not yield False^ 
though. Instead, it may be further transformed using (4.48), which yields 

{AAB)A{B AC) = {AABAB)AC = {AAB)AC . (4.125) 

On the other hand, extended event sequences may, of course, result in contradictions. The 
following three cases differ from each other, and together they form the law of contradiction for 
extended event sequences: 

First and in analogy to (4.39), for extended event sequences with normal and extended core 
events eK there is 


eKi A eK 2 X ... X eK^ = False , (4.126) 

if 3 eKi = eKj for i, j G {1, 2,..., n} and i 7 ^ j. This may be shown by transforamtion of the 
extended form using (4.37) and (4.77). For example, 

{AaB)A{AaB) = {AAB)A[{AAB)y{BAA)y{AAB)] = 
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= [{AABAA)AB]v[{AABAB)aA]v[{AAB)A{AAB)] = 

= False . (4.127) 

Second, an extended event sequences yields False because of a contradiction if it has an 
extended core event eK together with a normal core event K, which must occur later in the 
event sequence, and if there is at least one event X which apperas in K as well as in eK: 

eKi A eK 2 A .. .AKjA ... = False , (4.128) 

if 3 {X £ eKi) A {X £ Kj) for i < j. K may be an atomic or non-atomic core event. For 
example, expression {AAB)AB yields a contradiction, as it requires that A as well as B have 
occurred before B occurs. The expression {A A B) A {A A C) also yields a contradiction, as it 
requires that A as well as B have occurred before A and C occur simultaneously. In both cases, 
though, there is no contradiction, if the normal core event occurs before the extended core event: 
For instance, AA {A A B) = AAB and {A AC) A {A A B) = (A A C) X B. 

Third, an extended event sequences yields False because of a contradiction if it contains more 
than one normal core event, and the normal law of contradiction from (4.42) applies to these 
core events. 

Using Negated Events in Extended Event Sequences and Extended Core Events 

Handling of negated events is also quite similar to the discussions from chapter 4.2.8. But there 
are certain additions for extended event sequences and extended core events. 

Negation of extended event sequences is the same as in (4.65), but extended core events are 
treated as entities. 

Extended core events are negated by using de Morgan’s theoremes: 

~i eK = ~i (^1 A X 2 A ...) = “1 Xi V “ 1 X 2 V ... . (4.129) 

Negated extended core events are negated events, and as such are included into (extended) event 
sequences with negated events; see chapter 4.2.8 for details. Additionally to (4.51) and (4.52), 

- 1 A A (... X (A A ...) X ...) = False . (4.130) 

Temporal Laws for Intersections of Extended Event Sequences and Extended Core Events 

There is a special law for intersections of extended event sequences and extended core events, 
which provides 


AA{AaB A ...) = AAB A ... . (4.131) 

Its correctness is easily demonstrated by breaking up the extended core event. 

4.5 Summary 

The TFTA’s temporal logic described in this chapter extends the conventional Boolean FTA 
for non-repairable components/failures; it allows to model and analyze event sequences. 

The TFTA is an extension to Boolean algebra and logic and does not rely on state-based mod¬ 
elling techniques. Apart from Boolean operators for the conventional conjunction, disjunction, 
and negation, the TFTA has two additional operators PAND and SAND; these are “specialized 
conjunctions” which differentiate between event sequences and simultaneous events. 
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Using conventional Boolean logic transformations and aditional laws of transformation for 
temporal expressions, it is possible to transform complex temporal expressions into a temporal 
disjunctive normal form (TDNF). The TDNF consists of separated event sequences. The latter 
may be reduced into their minimal form, so called MCSS. The TFTA thus allows efficient and 
meaningful qualitative analyses, just as the conventional FTA does. 

As an extension to the Boolean algebra, the TFTA’s temporal logic is universally applicable 
and not at all restriced to certain failure rate distributions. 

In another step MCSS may be transformed into mutually exclusive expressions. The latter are 
especially well suited for direct probabilistic quantification and thus allow probabilistic analyses 
of temporal expressions, see the next chapter 5. 

The TFTA follows the conventional FTA in notation, expressions, workflow-steps, and work 
products. When compared to state based dynamic methods, the TFTA, therefore, has similar 
positive characteristics: its logic expressions and results are similarly intuitive in use, similarly 
readable and comprehensible, and it has good scalability. 

Simplification of temporal expressions into a minimal form (and if necessary: mutually ex¬ 
clusive, disjoint form, too) requires heavy effort, which is an additional cost when compared to 
Boolean FTA. This, on the other hand is no problem specific to the TFTA, and instead is, in 
principle, the same for all dynamic models. 

The TFTA allows for an efficient reduction of effort, though, by means of an “extended logic 
form”. If several sequences may be combined into a normal, i.e. Boolean, conjunction, then the 
extended form does not explicitely break them down. This alone highly improves the calculatory 
effort, which otherwise grows exponentially. 



5 Probabilistic Quantification of the TFTA 
Method 


Probable impossibilities are to be 
preferred to improbable possibilities. 

(Aristoteles) 


The quantification of the TFTA method extends the qualitative analysis. Allocation of failure 
rates and probabilities to basic events allows the calculation of the TOP event’s failure param¬ 
eters. These are then used in order to assess system charateristics like its safety integrity or 
expected reliability. 

On the one hand, additional effort is necessary for the probabilistic quantification of the 
TOP event’s parameters with consideration of event sequences. On the other hand, the TFTA’s 
quantihcation yields smaller values than the conventional Boolean FTA. 

This chapter is structured in four sections: 

• Chapter 5.1 starts with the basics of probabilistic quantification of the Boolean FTA. 

• Chapter 5.2 describes the concept behind the quantification of the TFTA, which is based 
on failure densities. 

• Chapter 5.3 discusses direct quantihcation of the PAND and SAND operations. 

• Using these, chapter 5.4 then describes the quantihcation of entire temporal failure func¬ 
tions, i.e. the calculation of the TOP event’s failure probability, failure density, and failure 
rate. 

• As these caluclations require exponentially increasing calculatory effort, chapter 5.5 in¬ 
troduces a simplihcation which provides approximated failure characteristics for temporal 
expressions. 

Note: In chapter 4 the qualitative TFTA was discussed for non-repairable components and their 
failures, only. This restriction also applies to the concept of quantihcation including chapter 
5.3.1. Chapter 5.3.2 then focusses on the special case where failure parameters are distributed 
exponentially. 

5.1 Quantification of the Boolean FTA 

In the Boolean as well as the temporal FTA the probabilistic analysis of the TOP event is based 
on the system’s TOP failure function as provided by a preceding qualitative analysis. Usually, 
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this logic expression is then transformed (using the transformation laws of Boolean or temporal 
logic) into a form, which is well suited for the task at hand (in this case: quantification). 

For example, the minimal cutset form of the Boolean failure function of the system described 
in (4.106) is given as 


^ = \/ms, = \/[f\x,,) . 

j=l j=li=l 

This form is very clear and well suited for qualitative analysis. On the other hand, there is an 
equivalent but less clear form of the same failure function, as given in (4.108): 

j=l i=l 

Here, the minimal cutsets are mutually exclusive (disjoint), which is less easily readable but 
simplifies probabilistic analyses. 

The quantification of minimal cutsets of the conventional FTA, with Boolean AND and OR 
and NOT, is well known; it is mentioned here only for completeness. 

Assuming n mutually independent events, there are 

n 

(5-1) 

i = l 

n 

l-n(l-^*(i)) , (5.2) 

i = l 

rl n / n \ 

^FAND(t) = Mt) ■ , (5.3) 

AFoR(t) = x; im-fiii-F,{t)) 

i=l \ j = hjf=i 

Failure functions of fault trees are usually complex expressions with non-independent events and 
sub-expressions. It is, thus, convenient to reduce such failure functions into their minimal cutset 
form before quantification, as well as to further transform the minimal cutsets into a mutually 
exclusive (disjoint) form. This is, for example, described in [80, 81] (and for non-monotonous 
functions in [82, 83]). Disjoint events simplify quantification; instead of the generic (5.2) and 
(5.4), the much more simple 



Fmii{t) = 
FoR{t) = 
/AND(i) = 

foR{t) = 


n 


FoRit) = '^Fi{t) , 

i = l 

(5.5) 

II 

(5.6) 


may be used. 

In monotonous fault trees with non-repairable failure events, negated events are used exclu¬ 
sively as conditional events; and as such, there is no failure density of negated events. This is 
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also true in case of TFTA, as shown by the discussions in chapter 4.2.8: negated events occur 
only prior to other (non-negated) events. 

The probability of occurrence of a negated event -■ Xi is then given by 

F^xM = = RxM ■ (5-7) 

5.2 Quantification of the TFTA: Temporal Concept and Failure 
Frequencies 

Other than the Boolean FTA, the temporal logic of the TFTA permits restrictions on the 
sequence of event occurrence in conjunctions. Any quantification of the TFTA, therefore, must 
also take only specific event sequences into account. This chapter explains in general, how this 
may be accomplished. Chapter 5.3 then uses these basics and derives specific rules for the 
quantification of the temporal operators PAND and SAND, respectively. 

In general, failure probabilities, failure densities, and failure rates are given as [14] 

fx{t) = and (5.8) 

fx{t) = Xx{t)- {l-Fx{t)) = Xx{t) ■ Rx{t) . (5.9) 

In case of constant failure rates the failure probabilities and failure densities are then given as 

Rx{t) = l-e“^^* and fx{t) = Xx-e~^^^ . (5.10) 


5.2.1 Sequences with Two Events 

In a concunction with independent inputs (basic events) A and B there is 

RAAsit) = Fxit) ■ Fsit) . (5-11) 

This is the probability, that at time t both fault tree events A and B are True. This is also the 
probability, that the failures represented by A and B have both occurred at some time during 
interval ]0;t]. It is not possible, though, to make specific statements on either the sequence of 
these failures, nor on the absolute point in time at which the failures occurred. 

Other than the failure probability T(t), the failure density f{t) does consider event sequences, 
as 

fAAB{t) = j/AAB{t) = fB{t)FA{t) + fA{t)FB{t) (5.12) 

and thus, using (5.9), 

fAhBit) = FA{t)RB{t)XB{t) + FB{f)RA{t)XA{t) . (5.13) 

Equation (5.13) may be interpreted as the probability per time, that [84] 

• either: A has occurred at some time in interval ]0; t], i.e. FA{t), and B has not occurred in 
interval ]0;t], i.e. RB^t), and B will occur in the (infinitesimally) short period ]t;t + At] 
after t, i.e. XB{t)] 
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• or: B has occurred at some time in interval ]0;t], i.e. Fsit), and A has not occurred in 
interval ]0;t], i.e. RAit), and A will occur in the (infinitesimally) short period ]t',t + At] 
after t, i.e. Ayi(t). 


These two possibilites represent the two sequences first, and then B" and “S first, and then 
A”, which are mutually exclusive. Therefore, their probabilities may simply be added. 

This makes it possible to quantify specific event sequences. If, for example, only the event 
sequence “A first, and then S” is relevant, then 


/“A first, and then S” (t) = FAit) ■ -Feit) = fB{t)FA{t) = \B{t)RB{t)FA{t) . (5.14) 


The corresponding failure probability is given by integration over the density: 

t t 

0 0 


t t 

“A first, and then B” {t) — j f^‘A first, and then B” {t ) ' dT = J fB^T)F a{t ) • dT . 


(5.15) 


5.2.2 Sequences with More Than Two Events 

In case of more than two events, the sequence(s) of those events must also be considered that 
are not the “last occurring” events. For an AND gate with three inputs A, B, and C, where 
event sequence “A first, and then B, and then C” is relevant, it is thus not sufficient to simply 
take the derivative of Fa/\b as 

fAABAcit) = fA{t)FB{t)Fc{t) + fB{t)FA{t)Fc{t) + fc{t)FA{t)FB{t) . (5.16) 

None of the expressions on the right side of (5.16) represents the relevant event sequence “A 
first, and then B, and then C”. E.g., fc{t)FA{t)FB{t) is the density contribution of “A and B 
first, and then C”; it thus represents both event sequences “A first, and then B, and then C” 
and “S first, and then A, and then C”. 

On the other hand, it is possible to correctly take the “not-last-occurring” events (here: A 
and B) into account. It is necessary to treat “A first, and then i?” as an entity by itself, thus 


f“A first, and then B, and then C”(^) — 

f“(A first, and then B) first, and then C”(^) fc{i)F“A first, and then B” (^) • 

Using (5.15) the failure density is then given as 

t 

first, and then and then C” (t) = fc{t) j /B(r)FA(r)-dr . 

0 

Finally, the failure probability is obtained by intergation: 


(5.17) 


first, and then _B, and then C”it) = J fcij) J /B(r')FA(r')-dr'-dr . (5.18) 

0 0 


This method allows quantification of arbitrarily complex sequences with more than two events. 
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5.2.3 What Parameter to Use in Probabilistic Analyses? 

Safety standards, as e.g. lEC 61508 or ISO 26262, require verification that systems meet specific 
failure rates A(t) [85]; evidence to verify that may be provided using probabilistic FTA. If the 
failure probability F{t) and failure frequency f{t) are given, then the failure rate is derived from 
(5.9). 

In most cases it is not necessary to provide the failure rate, though. In the safety domain, 
the absolute probabilities of failure events occurring is usually so small that F{t) <C 1, and thus 
with (5.9) 


fit) PS X{t) . (5.19) 

In such cases, the failure frequency is a good approximation of the failure rate, and may be 
directly used as target value. 

5.3 Quantification of the PAND and SAND Operators 

Based on the generic method of quantification of event sequences in chapter 5.2, the TFTA’s 
temporal operations may now be quantified. 

But first it is helpful to grasp the temporal meaning of PAND and SAND operations prob¬ 
abilistically; this is accomplished in chapter 5.3.1. Chapter 5.3.2 compares the TFTA with a 
state-based model as reference, and thereby demonstrates the correctness of the TFTA’s quan¬ 
tification. 

5.3.1 Quantification Using Logic Functions 

The failure probability is defined as the expectancy value for the occurrence of a failure [14], 
and thus 


F,it) = E[Xiit) = True] = E[Xi{t)] . (5.20) 

Accordingly, the failure frequency is defined as [59] 

flit) = ^im^ — F[(Xj(t) = False) A (Xiit + At) = True)] = 

= lim — E\-< Xi{t) A Xi{t + At)] . (5.21) 

By simple transformation an equivalent form is provided, which is specifically helpful for the 
further discussion: 

fi{t)At + o{At) = E[-i Aj(t) A Aj(t-|-At)] where lim —^ = 0 . (5.22) 

At^o At 

PAND Operation 

The PAND operator in A AB describes the occurrence of B at time t after A has already 
occurred. Non-infinitesimally, this implies that 

• at time t event A has already occurred, and event B has not yet occurred, and 


• at t -|- At both, event A as well as event B, have occurred. 
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Therefore, 


A{t) A ^B{t) A A{t + At) A B{t + At), (5.23) 

from which with (5.22) follows (assuming independent events A and B), that 

fAAB{t)At + o{At) = E[A{t) A^B{t) AA{t + At) AB{t + At)] = 

= E [A{t) A A{t + At)] ■E[-^B{t)AB{t + At)] . (5.24) 

The expectancy value E[-i i3(t) A B{t+At)] may be directly replaced by (5.22). The expectancy 
value E [A{t) A A(t+At)] , on the other hand, is not equal to the simple product of the expectancy 
values of events ^(t) und A{t + At), as they are not independent from each other. Instead, 


E[^(t) Ay4(t +At)] = E[A(t +At) I A{t)] ■ E[y4(t)] = E[A(t)] 
as a failure, that has occurred at time t, “is still occurred” at t + At. Thus, 
fAAB{t)At + o{At) = FA{t)-[fB{t)At + o{At)] . 
Division by At, and At —)• 0, yields 

o(At) 


fAAB{t) = lim FA{t) 
At—>-0 


/b(^) + 


At 


At J 


and finally 


(5.25) 


(5.26) 


(5.27) 


fAABit) = FA{t)-fB{t) . 


(5.28) 


Obviously, AaB from (5.28) is therefore equal to the sequence “A first, and then B” from 
(5.14). This allows to state the failure probability function of the PAND operator: 


t 

FAABit) = I FA{T)fBiT)-dT . (5.29) 

0 


SAND Operation 

The SAND operator in AAB describes the exact simultaneous occurrence of A and B at time 
t. Non-infinitesimally, this implies that 

• at time t neither event A nor event B has already occurred, and 

• at t + At both, event A as well as event B, have occurred. 

Therefore, 


-^A{t) A ^Bit) A Ait + At) A Bit + At) , (5.30) 

from which follows (assuming independent events A and B), that 

fAABit)At + oiAt) = E[-^Ait)AAit + At)]-E[-^Bit)ABit + At)] = 

= [/A(t)At+ o(At)] • [fBit)At + oiAt)] = 

= fAit) ■ At ■ fBit)At + o(At) •[...] . 
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Division by At, and At —)• 0, yields 

fAKsit) = jim^ (^fAit)fB{t)At + [•••]- ’ (5-31) 

and finally 

= 0 . (5.32) 

This implies that the probability of exact simultaneous occurrence of two independent events 
is always 0 ; every small deviation from simultaneousness is already covered - probabilistically - 
by the two PAND sequences of these events. Therefore, 

FAKBit) = 0 , (5.33) 

^AKBit) = 0 . (5.34) 

Allthough the SAND operator may seem unnecessary from this probabilistic point of view, it 
is essential for the qualitative transformation of temporal expressions, as well as for qualitative 
analyses. Specifically, it provides the temporal law of idempotency in (4.43), which serves as an 
important filter for the simplification of temporal expressions. 

5.3.2 Quantification Using Comparison with State Diagrams 

Note: The statements up to (5.34) apply universally. After that, the further statements discuss 
exponentially distributed parameters, only. 

Looking back, chapter 5.2 approaches the question of quantification of the PAND operation 
from the definitions of the relevant parameters. Chapter 5.3 then demonstrates, that the logical 
meaning of PAND and SAND operations yields identical results, respectively. 

In this chapter these results are compared to a reference model in order to confirm them 
absolutely. 

This comparison is split into two parts. First, the Boolean AND and OR operations are 
quantified, then the quantification is extended to the temporal PAND and SAND operations 
using the law of completion from chapter 4.2.2. 

Boolean Operations 

Figure 5.1 shows the state diagram of an example system consisting of two non-repairable 
components A and B which have constant transition- and failure rates Ajj-; this diagram is the 
same as in figure 2 . 1 . 

The state probabilities Pi{t) are given by the following system of differential equations: 

\Pi{t) 

P2{t) 

P3{t) 

[PM 

Assuming markov conditions are valid, event A and B have constant failure rates, and thus 

Aa = Ai ^2 = A 34 und \b = Ai _3 = A 2,4 • (5.36) 

Solving the system of differential equations (5.35) provides four state probabilities Pi{t) to 
Pi{t). Looking from a reliability and safety point of view, these probabilities may be interpreted, 
depending on how components A and B interact: 



— (Ai,2 + Ai^3 -|- Ai,4) 

0 

0 

O' 


'Plity 


Ai,2 

— A2,4 

0 

0 


P2{t) 


^1,3 

0 

— -^3,4 

0 


Psit) 


Aia 

A2,4 

A3,4 

0 


Mt). 


(5.35) 
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• In case of parallel connection (redundant components) the system fails, if both components, 
A and B, fail. The system’s failure function is ip = A AB, and thus state 4 represents 
the system failure. As a consequence, Fif{t) = Pi{t) und Rip{t) = 1 — P^^t) = Pi{t) + 
P2{t) + P3{t). 

• In case of series connection the system fails, if either A or S or both, A and B, fail. The 

system’s failure function is = A\/ B, and thus states 2 and 3 and 4 represent the system 

failure. As a consequence, = P 2 {t) + P 3 {t) + P 4 {t) und R^{t) = 1 —i- 4 (t) = Pi{t). 



failure states: 
1 : -^A^B 
2 : A^B 
3 . B —< A 
4: A AB 


Figure 5.1: State diagram of a system consisting of two non-repairable components A and B 
which have constant transition- and failure rates Xij. 


Simplification 

As a first step and using chapter 5.3.1, the transition representing the SAND is discarded, i.e. 
Ai ,4 = 0. This is done assuming structural independence between A and B. 

For the example system in (5.35) and with (5.36) this yields 

FAABit) = P4{t) = (1 - e-^^*)(l - e-^s*) = FA{t)FB{t) (5.37) 

and 

FAvBit) = P2{t) + Pzit) + P4{t) = 1 - = 1 - [1 - FAit)] [1 - FB{t)] . (5.38) 

Generalization of these ideas again leads to the rules for quantification of Boolean operators, as 
already mentioned in (5.1) to (5.6). 

PAND and SAND Operations 

Temporal fault trees are quantified using their MCSS the same way as conventional fault trees 
are quantified using their minimal cutsets. State-transition diagrams show the correctness of 
the laws of completition, and they allow to derive an approach to quantification of temporal 
operations. 

Figure 5.2 shows the example system from chapter 5.3.2 with its different event sequences. 
Other than figure 5.1, state 4 (“A and B failed”) is now divided into three substates. State 4a 
describes the system, where A has occurred first, and then B has occurred. State 4b describes 
the system, where B has occurred first, and then A has occurred. State 4c describes the system, 
where A and B have occurred simultaneously. These state diagrams are really sequential failure 
trees, see page 27. 
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failure states: 
1 : ^A^B 
2: A^ B 
3: B —< A 
4: AAB 
4a: AaB 
4b: BaA 
4c: AAB 


Figure 5.2: Markov model of the example system from figure 5.1 with division of state 4 “M and 
B have occurred” into three substates 4a, 4b, and 4c. 


These three possibilites are mutually exclusive (disjoint) and they are complete, i.e. there are 
no more possible ways for “yl and B have occurred”. The probability for “superstate” 4 is then 
given as 

P4{t) = T4a(t) + T4b(t) + T4c(t) • (5.39) 

The corresponding differential equation system of the states’ probabilites may be given as the 
following matrix: 


Flit) 


— (Ai,2 + Ai^ 3 + Ai^c) 

0 

0 

0 

0 

0 

O' 


\Pim 

m) 


Ai,2 

— A2,4a 

0 

0 

0 

0 

0 


P2it) 

hit) 


Ai,3 

0 

“A3^4b 

0 

0 

0 

0 


P^it) 

P4{t) 

= 

Ai,4c 

A2,4a 

As,4b 

0 

0 

0 

0 


P4it) 

P4a.it) 


0 

A2,4a 

0 

0 

0 

0 

0 


P4ait) 

P4hit) 


0 

0 

As,4b 

0 

0 

0 

0 


P4hit) 

P4cit)_ 


Ai^c 

0 

0 

0 

0 

0 

0_ 


.P^cit)_ 


(5.40) 


Figure 5.3 shows the markov modells corresponding to the example system’s AaB and Ay B. 
Assuming markovian conditions yields 


Aa — Ai ,2 — A3^4b and \b — Ai^s — A2,4a • (5-41) 

The solution of the set of differential equations in (5.40) for Ai^ 4 c = 0 yields the two equations 
known from (5.37) and (5.38): 

FAAB{t) = PA{t) = (1 - e-^^*)(l - e-^s*) = FA{t)FB{t) (5.42) 


and 


FAvBit) = P2{t) + Psit) + P^it) = 1 - = 1 - [1 - FAit)] [1 - FB(t)] . (5.43) 

The law of completeness from chapter 4.2.2 allows representing an AND operation by PAND 
and SAND operations. Figure 5.4 shows the relevant state diagrams and failure functions. 
Solving the set of differential equations in (5.40) then yields 

t 

FAAB{t) = P4s.{t) = J /B(r)FA(r)-dr , 


0 


(5.44) 
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Failure function AAB: 
states 4a, 4b, 4c are relevant —)• 
FAAB{t) = P4{t) 



Failure function Ay B : 
states 2, 3, 4 are relevant —)■ 
Fav B{t) = P2{t)+P^{t)+P4^{t) 


Figure 5.3: Markov model of the example system corresponding to failure functions AaB and 
Ay B and the set of differential equations in (5.40). System failure states are marked 
in bold. 


FBAA{t) 


FAAB{t) 


t 

P4h{t) = j fA{r)FB{r) ■ dr , 
0 


P4c{t) = 0 . 


(5.45) 

(5.46) 


Insertion of (5.44), (5.45), and (5.46) in (5.39) provides 

FAAB{t) = FAAB{t) + FBAA{t) + FAAB{t) = 

^ (5-47) 

= J {fB{T)FA{T) + fA{r)FB{r))-dr+ 0 = FA{t) ■ FB{t) ■ 

0 

This demonstrates that the law of completition holds also from a probabilistic point of view, 
and shows the correctness of the calculations in chapter 5.3. 

The corresponding failure frequencies and failure rates are then given by (5.8) and (5.9), 
respectively. 


5.4 Quantification of the Temporal Failure Function 

Chapter 5.2 shows the basic concept of quantifing event sequences. Applying this concept to 
arbitrary temporal expressions in TDNF allows the quantification of temporal fault trees, i.e. 
calculation of their events’ - and especially their TOP event’s - failure probabilities and failure 
rates. 

5.4.1 Quantification of Event Sequences and MCSS 

The probabilistic quantification of a fault tree requires, firstly, to determin its MCSS, i.e. all the 
critical event combinations (including their sequences) in minimal form. This is done using the 
rules for qualitative transformations from chapter 4.2 and 4.3. In a next step, the probabilistic 
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4 4 

failure function AaB: failure function BA A: 

state 4a is relevant —)• state 4b is relevant —)• 


FAt B{t) = Pis,{t) FBtA{t) = PAh{t) 



4 


failure function AaB: 
state 4c is relevant —)• 

FAKsit) = PAc{t) 

Figure 5.4: Markov model of the example system corresponding to failure functions AaB, 
BAA, and AaB and the set of differential equations in (5.40). System failure 
states are marked in bold. 

parameters are determined for each of the MCSS; these parameters are then used to calculate 
the TOP event’s parameters. 


Simplification for Independent Failure Events 

In case of independent failure events an essential simplification is possible: According to chapter 
5.3 all MCSS may be omitted that include at least one SAND. They are omitted after trans¬ 
forming the temporal expression into its MCSS but before the MCSS are quantified. MCSS 
including SANDs are only relevant for the qualitative analysis and provide no probabilistic con¬ 
tribution to the failure rates, failure frequencies, and failure probabilities of the temporal failure 
function. Only MCSS without SAND are then quantified. Thus, the quantification is carried 
out for MCSS of the following type: 


Xi A X 2 A ... A Xn , 


(5.48) 
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possibly also in conjunction with negated events 


{^XiA^Xii---)A{XiAX2A...AXn). (5.49) 

MCSS according to (5.48) may be directly quantified using convolutions of the failure frequencies, 
see (5.28) and (5.29), thus 

fMCSs{t) = fxiAX 2 A...AX„{t) = (5.50) 

t T-t"-!} 

= fxAt) J /x„_i(r^^^) J /x„_2(r^^^)---y fx2{r^"'~^^) j fx^T^""^)- 

0 0 0 0 

• • • • dr^2}. dr^^^ . 


MCSS with Negated Events 

The probabilities of negated events, which are part of MCSS, are multiplied to these results. 
Therefore, the MCSS’ quantification according to (5.49) is given as 


fMCSsit) — f(^Xi A^Xii-)/\(XiAX2A...AX„){t) — 
= /Xi A Xa A ... A (t) • RXi (t) ■ Rxjj (t) • • • 


(5.51) 


where /xiXXa A...AX„(t) comes from (5.50). 


Failure Probability and Failure Rate 

The failure probabilities and failure rates corresponding to (5.50) and (5.51) are then given by 
using the generic equations (5.8) and (5.9). 

5.4.2 Quantification of Extended Event Sequences 

Extended event sequences and extended MCSS include at least one extended core event. They 
are, therefore, a mixture of a Boolean and a temporal logic expression. In their logical statement 
extended MCSS combine several real MCSS and thus cover several event sequences, see chapter 
4.4. 

All extended MCSS may be omitted that include at least one SAND connection; for indepen¬ 
dent events, these do not contribute probabilistically to the event probabilities. 

Extended MCSS with One Extended Core Event 

Let 


Xi A ... A Xj^—i A Xf^ A A ... A Xn—i A Xn with 

(5.52 

= ^k,i A Xk^2 A ... Xk^r 

be an extended MCSS with one extended core event {w = 1) at position k within the BAND 
chain, and let the extended core event consist of r basic events that are AND connected. 

Using (5.3), the failure frequency for Xk{t) is then given as 
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Event sequences (and thus MCSS, too) must not include the same basic event more than once, 
as stated by the laws of contradiction in (4.42) for normal and (4.126) for extended temporal 
expressions. 

All events in an (extended) MCSS are thus mutually independent; therefore, the failure 
frequency of an extended core event may be calculated independently from the rest of the 
expression and using (5.53). It is then inserted into the overall failure frequency of the extended 
MCSS: 

ImCSS (t) = fxi A ... A Xk-1 A Xfe A Xfc+i A ... A X„-i A (t) = 

= /x„(t) J /x„_i(r^^^)---y /Xfe+i(T^”"''^)- 

0 0 

T-{n-k} T-{"-l} (5.54) 

• J J J fxAr^^^)- 

0 from (5.53) 0 0 

• dr^”^ • • • • dr^^^ 


Extended MCSS with Several Extended Core Events 

In case of extended MCSS with more than one extended core event, thus re > 1, 

1. the /xfe(^) are calculated according to (5.53) for each k G {1,2,... and 

2. the resulting w failure frequencies are then inserted into the overall failure frequency of 
the extended MCSS; this is the same as in case of rc = 1 from (5.54). 

MCSS with Negated Events 

The probabilities of negated events that are part of extended MCSS are considered in analogy 
to (5.51). 

Failure Probability and Failure Rate 

An extended MCSS’ failure probability is given using (5.8) by integrating over (5.54); the 
corresponding failure rate is then given by (5.9). 

5.4.3 Quantification of the Temporal Failure Function on TOP Level 

MCSS resulting from the method in chapter 4.3 are mutually exclusive (disjoint). 

Therefore, the TOP event’s failure probability and failure frequency is given by (5.5) and 
(5.6) and is the simple sum of the probabilistic contributions of the disjoint MCSS: 

Fropit) = FmcsSi jt) > (5.55) 

i = l 
? 

fTOp{t) = fMCSSj jt) ■ (5.56) 

i = l 

The parameters of the disjoint MCSS come 

• from chapter 5.4.1 in case of normal MCSS and 

• from chapter 5.4.2 in case of extended MCSS. 
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5.5 Reducing the Computing Time 

The calculatory effort necessary for the multiple integrals in (5.50), (5.51), and (5.54) is high; 
this is especially true for complex temporal fault trees and their complex failure functions. This 
is not helpful to the TFTA’s declared goal to faciliate modelling of event sequences for large 
and complex systems 

The following chapter therefore presents an approximatory approach to the calculaion of fail¬ 
ure probabilities, failure frequencies, and MCSS in order to significantly reduce the calculatory 
effort. Essential prerequesites to this approximation are 

• constant failure rates of all basic events, i.e. exponentially distributed failure probabilities, 
and 

• “small enough” failure probabilities and failure rates, i.e. the “small value assumption” 
from (5.19) must be valid that At <C 1 and thus f{t) ~ A(t); in a safety context this is 
usually a given. 

5.5.1 Temporal Terms in MCSS Format 

First, temporal expressions in MCSS form are discussed; they result e.g. from qualitative trans¬ 
formations of a TFTA according to chapter 4.3. 

MCSS Without Negated Events 

The failure probability and failure rate of MCSS without negated events, which include at least 
one SAND, is always zero according to the discussion following page 67. 

Therefore, the quantification is again based on MCSS without negated events as shown in 
(5.48). The corresponding failure probability is given by integration over (5.50) which yields 

t 

FMCSs{t) = F'xi7\X27\...7\X„{t) = y/ xiaX 2 A...ax„(t)- dr = 

0 

t T 

= I /x.(r). I J J /x.(rW). (5.57) 

0 0 0 0 

.d^W.dr^'^-i}...dr^^>-dr . 

With a total of n basic events that constitute an MCSS, each MCSS represents exactly one 
event sequence of the n! possible permutations. The probability that all n events included in 
an MCSS have occurred at time t is given by (5.1) for the case that no event sequences are 
distinguished; this yields 


FxiAX 2 A...AX„{t) = FxAt) ■ Fx 2 {t) ■ ■ ■ Fx„it) = Y{Fxiit) . (5.58) 

i = l 

For exponentially distributed and very small failure rates equation (5.19) then allows the ap¬ 
proximation that 


fit) PS X{t) = X 
F{t) PS AT 


and therefore 
for A T <C 1 . 


(5.59) 

(5.60) 
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Then, 


AXa A...AX„(i) ~ Axi t • Axa i t = ]^ (Axi t) • (5.61) 

i = l 

If all n failure rates Ax = Axi = • • • = Ax„ are equal, all n! possible permutations of the 
event sequences occur with the same probability; thus, for each MCSS 

^ n 1 ^ 

FMcssit) = ^ n ~n 

Equation (5.62) is also a generic approximation in case of different failure rates, if the highest 
of the n failure rates satisfies the condition that 


Thus, 


max(Axi; Axal • • • ;Ax„) - t < 1 • 


FMCssit) ~ ^ n • 

i = l 


(5.63) 


(5.64) 


The approximation for an MCSS’ failure frequency is provided accordingly. Let, without 
restriction to the general case, be Xn the last occurring event in a MCSS with n involved 
events; then 


fMCSsit) =/xi AXa A...AX„(i) = /x„(i) • AXa A...AX„_i(i) 1 


from this follows with (5.59) and (5.60) that 

^ n—1 

fMcssit) ~ • Ax„ • n (Axi t) . 

^ '' i = i 


(5.65) 


(5.66) 


MCSS with Negated Events 

An approximation for MCSS with negated events combines the procedure of chapter 5.4.1 - 
with the probability of negated events from (5.7) - and the quantification approach to MCSS 
without negated events, as discussed above. Using (5.64) and (5.66) this yields 


FMCSsit) = T(^X/A ^X/7-)A(Xi AX2A...AX„)(i) • • • ~ 

1 

~ M ■ n ■ ’ 

Ti. 

1=1 

fMCSs{t) = fXi7\X2 7\...7\X„it) ■ Rxi{t) ■ Rxiiit) ■ ■ ■ ~ 

^ n—1 

~ • Ax„ • n (Ax, t) ■ Rxj(t) ■ Rxn (^) • • • 

yn L). 


(5.67) 


(5.68) 
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5.5.2 Temporal Terms in an Extended MCSS Format 

The assumptions from chapter 5.5.1 still hold; specifically, no SAND connections are considered, 
as they do not contribute probabilistically. 

Extending the method with minimized computational effort to extended MCSS requires dis¬ 
cussing how many normal MCSS are covered by an extended MCSS. 

In a very simple example, the extended MCSS (XiAX 2 )XA 3 covers two normal MCSS, 
Xi A A 2 A A 3 and A 2 AA 1 AA 3 , which are disjoint. Using (5.62), each of these two normal 
MCSS has a probability of 

Fxxt.X 2 t.X 3 it) = TxaAXiAX3 (i) ~ gTxiTxjTxa . (5.69) 

Accordingly, 

-F(Xi AX2)AX3(i) ~ 2 •-FxiTxaTAg = -FxiTxaTxg . (5.70) 

All normal MCSS that are covered by an extended MCSS are mutually exclusive (disjoint) 
because of the temporal law of completition. An extended MCSS’ failure probability and failure 
frequency is therefore given as simple sum of the failure probabilities and failure frequencies of 
the normal MCSS that are covered by the extended MCSS. 

In general and withouth SAND connections, the number T of normal MCSS that are covered 
by an extended MCSS dependes 

• on re, which is the number of extended core events in the extended MCSS, and 

• on Vi for each extended core event i G {!,... ,m}, which is the number of its AND connected 
basic events, and 


• on fcj, which is the corresponding extended core event’s position in the MCSS. 

Some examples: 

(AiAA 2 )AA 3 —^ rt; = l;r = 2;A: = l, 

Ai A (A 2 A A 3 ) —)■ rt; = l;r = 2;A: = 2, 

(Ai A A 2 ) A (A 3 A A 4 ) —)• rt; = 2 ;ri=r 2 = 2;/ci = l;/c 2 = 3, 

Ai A (A 2 A A 3 A A 4 ) —>■ rc = l;r = 3; k = 2 . 

In the third example it is noteworthy, that k 2 = 3. The position of the i G {2,... ,tc}-th 
core event is calculated including all events; even those events in “preceding” core events are 
considered, i.e. events on the left side of the i-th extended core event in the MCSS. SAND 
connections are omitted, though: 

(Ai A A 2 ) X (A 3 A A 4 ) = [Ai a A 2 a (A 3 A A 4 )j V [As A Ai X (A 3 A A 4 )j . (5.71) 

The position of the second extended core event is therefore k 2 = 3. 

In general, each extended core event i with r* basic events and standing at position ki covers 


_ fiki-l) + in - 1)\ 

* V ih-i) )' 


(5.72) 


normal MCSS. This follows from rX possible permutations within the extended core event. For 
each permutation (A:* — 1) preceding events (left of the extended core event) may then hold 
iki — 1) -|- (ri — 1) possible positions, as described in (4.48). 

Some examples: 



5.5 Reducing the Computing Time 


73 


• (XiAX 2 )AX 3 —)■ w = l;r = 2-, k = l —)■ T = 2 : 

—y Xi A X 2 A ^3 , X 2 A ^1 A X^ . 

• XiA(X 2 AX 3 ) —)■ w = l;r = 2; k = 2 —> T = 4 : 

—y Xi A X 2 A ^3 , Xi A ^3 A ^2 ) X 2 A A ^3 , ^3 A ^1 A X 2 ■ 

• Xi A X 2 A (X 3 A X 4 ) —)■ w = l] r = 2; k = 3 —)■ T = 6 : 

—>■ A X 2 A ^3 A X 4 , A ^2 C X 4 A JC 3 , Xi A ^3 A ^^2 A X 4 , 

A X 4 A ^2 ^3 ) ^3 C Xi A X 2 A JC 4 , ^4 A Xi A ^^2 A ^^3 . 

With w > 1 extended core events the total number of covered permutations is then given as 

w 

T = WT,. (5.73) 

i = l 

For example, the extended MCSS {Xi A X 2 ) X {X^ A X 4 ) with re = 2, ri = r 2 = 2, /ci = 1, /c 2 =3 
covers a total of T = Ti • T 2 = 2 • 6 = 12 permutations. 

Xi A X 2 A W 3 A X 4 , X\ A X 2 A W 4 A W 3 , A X^ A ^2 ^4 t 

Xi A W 4 A X 2 A W 3 , W 3 A Xi A W 2 A X 4 , W 4 A A X 2 A ^3 , 

X 2 A A W 3 A X 4 , W 2 A Xi A W 4 A W 3 , X 2 A W 3 A Xi A ^4 , 

W 2 A X 4 A Wi A X^ , X^ A W 2 A Xi A W 4 , X 4 A W 2 A A X 3 . 

In analogy to (5.67), the failure probability of an extended MCSS is approximated as 

1 ” 

FMCSs{t) ^ T ■ — ■ Y\_{^Xit) ■ Rxi{t) ■ Rxiiit) ■ ■ ■ ■ (5-74) 

i = i 

In analogy to (5.68), the approximated failure frequency is then given by 

^ n—1 

fMCSsit) - T ■■ Xx„-Y\{XxX) ■ Rxiit) ■ Rxiiit) ■ ■ ■ ■ (5.75) 

Summary of Chapter 5.5 Reducing the Computing Time 

For constant failure rates and “small enough” failure probabilities the probabilities and rates of 
occurrence of each possible permutation of the events in an MCSS do not significantly differ 
among each other. The calculation of FMCSs{t) ^-nd fMCSs{t) is therefore almost independent 
of the exact event sequence information. This is beneficial, as the quantification with exact 
sequence information requires calculation of multiply nested integrals (see chapter 5.3) which 
is very costly. On the other hand, the approximation method provided in this chapter allows 
an estimation of FMCSs{t) and fMCSs{t) solely based on the number of events in an MCSS and 
their respective failure rates, see (5.67) and (5.68). It is not necessary to explicitely take the 
exact sequence information into consideration. Extended MCSS may also be quantified using 
this approximation, as shown in (5.74) and (5.75). 




6 Comparing TFTA to Other Dynamic 
Modelling Approaches 

Much may be said on both sides. 

(Henry Fielding) 


In this chapter the advantages of using the TFTA method are demonstrated and discussed; in 
order to do so, an example system (see chapter 6.1) is modelled and analyzed 

• as conventional Boolean FTA in chapter 6.2, 

• as dynamic fault tree (DFT) in chapter 2.3, and 

• as markov model in chapter 6.4, 

and these are then compared with the new TFTA approach, see chapter 6.5. The comparison 
models are created and analyzed using the Isograph FaultTree+ tool [50]. 

6.1 An Example System 

An example system from [79] is shown in figure 6.1. 

System Description 

The relevant system function of the system under consideration is to supply point X with power. 
The power supply E delivers energy via switch U and two redundant paths A and B. First, U 
is switched to allow energy flow via path A. In case of a fault in A, switch U will redirect the 
energy flow via path B in order to sustain the system function. 

The following component faults are considered here: 


X 


Figure 6.1: An example system used for comparing the Boolean FTA, the DFT, the markov 
model, and the TFTA. 
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E: E fails to supply energy; the corresponding failure rate is A^; = 1 • 10“® 

U: U fails to switch from A to B; the corresponding failure rate is A^/ = 5 • 

A: Internal fault of A inhibiting energy flow; the corresponding failure rate is A^^ = 1 • 10“®^. 

B: Internal fault of i? inhibiting energy flow; the corresponding failure rate is As = 1-10“®^. 

All components are non-repairable; all failure rates are constant; the mission time is Tm = 400h. 
The failure sequence is relevant because the failure of U before failure of A leads to a system 
failure, but the failure of U after switching from A, i.e. after failure of A, does not lead to a 
system failure. The qualitative and probabilistic results of modelling this example system using 
the different modelling techniques are listed in tables 6.1 and 6.2 on page 82. 

6.2 Comparison with the Boolean FTA 

The Boolean model is not able to take sequence information into account as relevant for this 
example system’s failure behaviour. As an approximation to the real system diagram from 
figure 6.1, one of the versions from figure 6.2 must be chosen as basis for the Boolean fault tree 
model [79]. Figure 6.3 shows the Boolean fault trees corresponding to these two versions, which 
are called “Bool 1” and “Bool 2”. 


Qualitative and Probabilistic Calculation 

The components’ failure probabilites and failure frequencies at the end of the mission time are 
calculated using (5.10); this yields 


FAiTM) = 3,9992-10-^ , 

/a(Tm) = 9,9960-lO-^i , 

( 6 . 1 ) 

Fb{Tm) = 3,9992-10-^ , 

/s(Tm) = 9,9960-lO-^i , 

( 6 . 2 ) 

Fu{Tm) = 1,9960-10-3 , 

fu{TM) = 4,9900-lO-^^i , 

(6.3) 

Fe{Tm) = 4,0000-10-^ , 

fE{TM) = 1,0000-10-91 . 

(6.4) 

The failure function ip is 

<^Booi 1 = {AV E)AiBVUV E) = 

[AAB]v[AAU]v[E] and 

(6.5) 

^Booi 2 = {Avuv E) A {BVUV E) 

= [AAB]v [U] V [E] . 

( 6 . 6 ) 

It may be transformed into a disjunctive normal form of mutually exclusive expressions: 

1 = [A A B A ^ E A ^U] y [A AU A ^ E] y [E] and 

(6.7) 




Figure 6.2: Two possible versions of Boolean approximations of the example system from figure 
6.1 as basis for a conventional Boolean FTA. The left side is called “Bool 1”, and the 
right side is called “Bool 2”. 
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Figure 6.3: Boolean fault trees corresponding to “Bool 1” (top) and “Bool 2” (bottom). 


</?Bool 2 = [AAB A A ^U]v [U A ^E]v [E] . (6.8) 

Using the failure data from above for quantification, the TOP event provides 

Fboo\i{Tm) = 1,3587-10-6 , /booIi(Tm) = 5,7899-lO'^i and (6.9) 

i"Booi2(rM) = 1,9986-10-3 , /boo12(Tm) = 4,9918-10-6^ . (6.10) 

These results were verified using the FaultTree+ tool. 

Discussion on Creating the Fault Trees 

In both cases the fault tree is derived systematically from the system diagrams by following the 
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energy flow backwards through the system, i.e. from output X to input E. The modeller needs 
not think about possible event duplications, as the Boolean logic correctly eliminates those. 

Discussion on Results 

Qualitative analysis of the minimal cutsets shows that both cases provide system failures where 
no real system failure are occurring. In case of “Bool 1” the inaccuracy lies in minimal cutset 
[A A [/], and in case of “Bool 2” the inaccuracy lies in minimal cutset [C/]. Therefore, “Bool 2” 
is an especially conservative approximation: qualitatively, the fault tree has one additional and 
unnecessary single point failure; probabilistically, the fault tree yields much higher values for 
the TOP level failure paramters. Comparing both Boolean versions it appears clear that “Bool 
1 ” is the more realistic model. 


6.3 Comparison with Dynamic FTA (DFT Method) 

Other than the Boolean modell, the DFT fault tree uses PAND gates to consider event sequences, 
that are relevant to the system failure behaviour. 

Figure 6.4 shows two versions “DFT 1” and “DFT 2” which include a dynamic module, i.e. 
the gate “D fails before A”; this module represents a markov model, see figure 2.3. For better 
understanding, in these figures the PAND gate is shown with its original DFT symbol from the 
DFT [37], i.e. an AND gate with double bars, instead of the TFTA PAND gate symbol (an 
AND gate with horizontal left-to-right arrow). 

In “DFT 1” basic event A is meshed between the dynamic module and the Boolean part of 
the fault tree. Basic event A has a set sequence flag, and because of the meshing this flag is also 
set where A is input to the Boolean AND gate “Internal failure of A and B”. But this sequence 
information is errornous with regard to event B] it provides prababilistically optimistic results, 
i.e. to small failure values. 

In “DFT 2” this meshing is broken up. In order to do so, the identical failure of the one 
component A has to be represented by two different basic events A and A*. In complex fault trees 
this method is not feasible, is costly, and complicates clear analysis. Moreover, the probabilistic 
results are conservativ as possible intersections between these events are not taken into account. 


Qualitative and Probabilistic Calculation 

At the end of the mission time each component’s failure probability and failure frequency equals 
those of the Boolean model from page 76. 

One feature of the DFT approach is that the qualitative calculation of the failure function 
interprets the PAND gate as conventional AND gate. This certainly is a sensible conserva¬ 
tive approach; as a consequence, though, the event sequence information is not present in the 


qualitative results. The failure function cp yields 

T^DFT 1 = [a A i?] V [t/A a] V [FI] and (6.11) 

V^DFT 2 = [a* A i?] V A a] V [i?] . (6.12) 

Isograph FaultTree+ provides the following results: 

i^DFTi(rM) = 8,7933-10-^ , /dfti(7m) = 3,3946-IQ-^i and (6.13) 

FbFT 2 (rM) = 9,5962-10-^ , /dft2(Tm) = 3,7967-10-9^ . (6.14) 
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Figure 6.4: DFT fault trees in two versions, “DFT 1” (top) and “DFT 2” (bottom). In “DFT 
1” event A is illegally meshed between the Boolean part of the fault tree and the 
dynamic module. In “DFT 2” the same real world failure of component A is rep¬ 
resented by two different basic events A and A*, which breaks the meshing. Both 
versions provide only approximative probabilistic results, though, and do not provide 
a qualitative analysis that also includes sequence information. 


6.4 Comparison with Markov Diagrams 

The example system’s markov model in this chapter is used as a reference for probabilistic 
calculations. Figure 6.5 shows the corresponding markov diagram, where all system failure 
states “no energy at X” are denoted in bold. Event sequence information between U and A is 
taken into account. 

Using Tm = 400h, Isograph FaultTree+ provides the following results: 

Fmak{Tm) = 9,5940 • 10“^ , /mar(7m) = 3,7955 • lO'^ ^ . (6.15) 

This modelling method does not allow for qualitative analysis like the analysis of minimal 
cutsets. 

In comparison to the fault tree modelling methods from above the higher complexity of the 
markov method is apparent, which in real life inhibits the use of markov methods for analysis 
of many systems. 
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Figure 6.5: Markov Diagram (and also sequential failure tree) of the example system. System 
failure states “no energy at X” are denoted in bold. 


6.5 Dynamic FTA According to the TFTA Method 

Figure 6.6 shows the temporal TFTA fault tree corresponding to the example system. One 
main benefit of the TFTA over the DFT approach is the way in which the fault tree structure 
is built. Just like the conventional Boolean FTA, it is possible to apply a “schematic-driven 
built-process”; i.e. to proceed backwards through the system, from its outputs to its inputs, 
and following the signal paths. This method is very intuitive as well as very systematic, thus 
reducing modelling errors. If there are meshings in the TFTA fault tree, they are broken up 
and resolved by the temporal logic. The same approach is generally not possible with the DFT 
because of its separated modules. 

Qualitative and Probabilistic Calculation 

The temporal system function of the temporal fault tree shown in figure 6.6 is given as 

ro = {ave)a{bvev{uAa)) = 

= [aab]v[aae]v[aa{uaa)]v[eab]v[e]v[ea{uaa)] = 

= [AaB]v[UAA]v [E] . (6.16) 

Its three event sequences are already minimal according to chapter 4.3.2, as 

[AAB]^[UAA] arnd [AaB]^[E] and [E]^[UAA]. 

These event sequences are also MCSS and thus starting point for further qualitative evaluation. 
Qualitative analysis of the MCSS shows that the MCSS are indeed correctly calculated and 
do include the sequence information between events U and A. Further qualitative analysis 
then requires the transformation of the MCSS into a mutually exclusive (disjoint) form. The 
transformation according to chapter 4.3.3 yields an extended TDNF with mutually exclusive 
expressions: 

w = [-^EA{AaB)]v[-^B^EA{UAA)]v[E] . (6.17) 

Using the components’ failure data from page 76, direct quantification is then possible: 

ETFTA{t) = (l - FE{t)) ■ EA{t) ■ Esit) -I- 

+ (l-FE(t))(l-FB(t))- / Fu{T)-fA{T)-dT + FE{t), 

Jo 
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Figure 6.6: TFTA fault tree of the example system. It correctly takes the meshing of event 
A into account, as well as the sequence information between events U and A, and 
allows for a “schematic-driven built-process”. Probabilistically, the correct results 
are calculated, too. 


Ftfta{Tm) = 9,5940-10"^ , (6.18) 

fTFTA{t) = (l - FE{t)) ■ fA{t) ■ Fsit) + (l - FE{t)) ■ FA{t) ■ /s(i) + 

+ (1 - FE{t)) (1 - Feit)) ■ Fu{t) • fA{t) + fE{t) 
fTFTAiTM) = 3,7955-10-91 . (6.19) 

Comparison with the reference results from the markov model (see chapter 6.4) shows that the 
TFTA provides exact probabilistic results, too. 

Approximation 

Instead of using this exact calculation method, the TOP event’s failure parameters may also be 
approximated using the approach with reduced calculatory effort from chapter 5.5. 

First, this approach is used on the extended TDNF of the temporal failure function from 
(6.17); Tm = 400h then yields 

FrFTAit) ~ (1 — A^i) • Aa O Ab t + - (1 — A^; t)(l — Ab t) - A;/ t + A^; t , 
Ftfta{Tm) = 9,5984-10-^ , (6.20) 

fTFTA{t) ~ 2(1 — Ab t) - Aa - Ab t + - (1 — Ab t){l — Ab t) - Ab - Aa t + Ab , 


fTFTAiTM) = 3,7988-10-^1 . 


( 6 . 21 ) 
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Further significant simplification is possible using (6.16) instead of the temporal failure function 
from (6.17). The quantification of (6.16) yields 

FTFTA{t) Aa t • As t + - Af/ t • Aa t + As t , 

Ftfta{Tm) ~ 9,6000 • 10"^ , (6.22) 

fTFTA{t) 2 Aa • As t + - As • Aa t + As , 

fTFTAiTM) ~ 3,8000 • 10-^A . (6.23) 

On the one hand, it is no longer necessary to carry out the - possibly very costly - transformation 
into a disjoint form. On the other hand, the results are conservative approximations, usually 
good enough for at least a first assessment during a multi-step analysis. 


Cutsets/Sequ. 

Bool 1 

Bool 2 

DFT 1 

DFT 2 

Markov TFTA 

1 . 

E 

E 

E 

E 

E 

2 . 

aau 

U 

uaa 

UAA 

uaa 

3. 

aab 

Aab 

Aab 

A* A B 

Aab 


Table 6.1: Comparison of the qualitative results of the different modelling methods for the ex¬ 
ample system from chapter 6.1. Minimal cutsets of the “Bool ...” and the “DFT 
...” methods do not include event sequence information. As a consequence, there 
are failure combinations, that do not lead to a real life system failure, but are taken 
for system failures. The results of “Bool 2” and “DFT 2” deviate the most from the 
correct results represented by the MCSS of the TFTA. The markov model does not 
provide comparable qualitative results at all. 


6.6 Summarizing the Results 

The side-by-side comparision of Boolean FTA, DFT approach, markov model, and the new 
TFTA approach shows that the TFTA combines and surpasses the benefits of the other more 
conventional methods. 

The TFTA adopts the basic steps of creating fault trees from the Boolean FTA. Most notably, 
it allows for a “schematic-driven built-process”; this assures a very systematic design and few 
modelling errors. The basic steps of the fault tree’s qualitative and probabilistic evaluation are 
also very similar between both methods. The failure function is qualitatively simplified into a 
minimal DNF; in a next step, this is then further qualitatively analysed, as well as transformed 
into mutually exclusive (disjoint) sub-expressions; these are then quantified. Other than the 
Boolean FTA, the TFTA takes relevant event sequence information into account qualitatively 
as well as probabilistically. 

Looking at the qualitative results, only the TFTA provides minimal combinations of compo¬ 
nent failures that lead to a system failure, which include event sequence information, see table 
6.1. The DFT and the conventional FTA provide minimal cutsets without event sequence infor¬ 
mation instead. Furthermore, the necessity of modules in the DFT is noteworthy: Meshing of 
events between Boolean and dynamic modules may lead to modelling errors which are difficult 
to discern and thus distort the qualitative results. It is possible to break such meshing up by 
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Method 

F{Tm) 

[•] = 1 

/(Tm) 

[•] = E 

A(rM) 

[•] = E 

Bool 1 

1,3587 

10-6 

5,7899 

10-9 

5,7899 

10-9 

Bool 2 

1,9986 

10-3 

4,9918 

10-6 

5,0019 

10-6 

dynamic fault tree (DFT) 1 

8,7933 

10 -^ 

3,3946 

10-9 

3,3946 

10-9 

DFT 2 

9,5962 

10-7 

3,7967 

10-9 

3,7967 

10-9 

Markov 

9,5940 

10-7 

3,7955 

10-9 

3,7955 

10-9 

temporal fault tree analysis (TFTA) 

9,5940 

10-7 

3,7955 

10-9 

3,7955 

10-9 

TFTA (Approx. 1) 

9,5984 

10-7 

3,7988 

10-9 

3,7988 

10-9 

TFTA (Approx. 2) 

9,6000 

10-7 

3,8000 

10-9 

3,8000 

10-9 


Table 6.2: Comparison of the probabilistic results of the different modelling methods from chap¬ 
ters 6.2 to 6.5; the mission time is set to Tm = 400h. Obviously, the Boolean results 
are comparably conservative. The markov model is used as reference. The TFTA 
provides identical and therefore correct results, too. The last two rows show the re¬ 
sults of the approximations of the probabilistic TFTA. “Approx 1” corresponds to the 
temporal failure function after it is transformed into a mutually exclusive (disjoint) 
form; “Approx 2” corresponds to the temporal failure function in a TDNF before 
being transformed into disjoint minterms, see (6.20) to (6.23). 


using several “copied” events for one real world failure event; this provides good probabilistic 
approximations, but it reduces the significance and reliability of the qualitative results, as they 
contain nonsensical or even impossible event combinations. 

The TFTA also provides correct probabilistic failure parameters at TOP event level; this 
is shown by comparison with the morkov referrence, see table 6.2. The Boolean models are 
comparatively conservative. The DFT provides correct results only for those fault trees that do 
not have events meshed between Boolean and dynamic modules. If such meshings are necessary, 
then the DFT usually provides optimistic (i.e. too small) probabilistic results. 

The TFTA is also well suited for a multi-step approach of modelling, where the results’ 
accuracy is improved step by step. The TFTA’s approach with reduced calculatory effort 
provides conservative probabilistic approximations as well as, qualitatively, the minimal failure 
sequences. 







7 TFTA Analysis of an Automotive ECU 
Architecture 


Insight separated from practice 
remains ineffective. 

(Erich Fromm) 


This chapter uses the TFTA method on a more complex example and shows how TFTA may 
be applied to more than academic minimal examples. 


7.1 The Example System 

The example system in hgure 7.1 is an abstraction of a system architecture typically used in the 
automotive domain for safety critical systems up to SIL 3 according to lEC 61508 or ASIL D 
according to ISO 26262. 


U+ 



Figure 7.1: A real world example systems which is analyzed using the TFTA method. 
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The structure of this chapter: In chapter 7.2 the temporal fault tree corresponding to the 
example system is shown. The qualitative analysis in chapter 7.3 and the probabilistic evaluation 
in chapter 7.4 are followed by a discussion of the results in chapter 7.5. 

7.1.1 System Description, Safety Goal and Safe State 
Scope 

The example system consists of the components and signals wlisted in table 7.1. 


Component 

Subcomponent 

Description 

SI 


sensor 1 

S2 


sensor 2 

pC 


microcontroller 

ASIC 


system-ASIC 


WD 

watchdog for pC 


K1 

comparator 1 


K2 

comparator 2 


OR 

OR gate 

POW 


power switch 


sw 

emergency switch 


T3 

power transistor 

AMP 


driver IC 


L 

logic 


T1 

high side power stage 


T2 

low side power stage 

A 


actuator 

Signal 


Description 

EN 


enable signal for the logic in the driver IC 

SAF 


enable signal for power transistor and driver IC 

OFF 


disable/cutofl signal from watchdog 


Table 7.1: Components and signals of the example system in figure 7.1 


Functional Description and Safety Concept 

The example system is used to safely activate actuator A based on some sensor information. 
The actuator shall be activated, if (and only if) the sensor input shows that some threshold 
level is exceeded. If the sensor input is below this threshold, the actuator shall be deactivated. 
The system includes several redundancy measures in order to increase its functional safety. 

Both sensors SI and S2 record some physical parameters from the surrounding. Each sensor 
sends its data over a separate serial port to microcontroller pC as well as the system ASIC. The 
transmission is protected using CRC and alive counters. 

Microcontroller pC evaluates the sensor data of both sensors SI and S2. If at least one of the 
sensors’ data is below the threshold, output SAF of the pC is deactivated. If both of the sensors’ 
data are above the threshold, pC activates the power transistor T3 via the SAF signal. At the 
same time, pC activates the power stages T1 and T2 in the AMP driver via AMP’s enabler 
input {2}. Meanwhile, the microcontroller serves the intelligent watchdog in the system ASIC 
via an additional bidirectional port. 

The system ASIC evaluates the same sensor data as the microcontroller. It has two hardware 
comparators K1 and K2. Comparator K1 evaluates data from sensor SI. Comparator K2 
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evaluates data from sensor S2. If at least one of the hardware comparators detects that the 
corresponding threshold is exceeded, it activates its output EN. Additionally, the system ASIC 
includes an intelligent watchdog WD. Using several mechanisms, the watchdog monitors that 
the pC hardware is operable and the operating system and the application software on pC run 
correctly. This is accomplished, first, using a window watchdog triggered by special waypoints 
within the program software; second, WD queries pC and monitors the provided answers. If 
pC answers too early or too late or provides a wrong answer, WD activates (opens) a separate 
emergency switch SW via the OFF signal. If SW is open, T3 is deactivated independently of 
SAF; the power supply to the power stages and thus to the actuator is interrupted. 

Driver AMP consists of the two power stages T1 and T2 as well as an internal logic L. L 
activates the power stages, if (and only if) enable input {1} is activated first, and then enable 
input {2} is activated second. Every other sequence does not activate the power stages. 

Normally, the activation abides the sequence {1}, {2}: on the one hand, data from SI and S2 
do not occur at exactly the same time, e.g. because SI and S2 are spatially separated. Then, 
signal EN will always be activated first, when the first sensor data indicates an exceeding of the 
threshold. On the other hand, the software in pC also carries some latency to EN, which leads 
to an internally delayed activation of SAF. 

Safety Goal, Safe State, and Fault Tolerance Time Span 

The system’s hazard and risk analysis yields the following safety goal: “prevent errornous current 
feed through the actuator”. The corresponding safety state is “no current feed through actuator”. 
The fault tolerant time span is 0 seconds, i.e. current feeds are considered immediately dangerous 
and are thus not allowed even for very short times. 

7.1.2 Failures 

Using the simplification that all connections between components SI, S2, pC, Kl, K2, WD, SW, 
Tl, T2, T3, L, and A are ideal and have no faults, the components’ failures listed in table 7.2 
remain. The failures’ dangerousness depends on their potential to contribute to an infraction of 
the safety goal. The listed safety measures prevent a direct infraction of the safety goal by the 
failures. For a dynamic failure analysis two areas of the system are specifically interesting. First, 
there is a sequence logic in L, and second the are dangerous failures of WD and SW (numbers 
18 and 27 in table 7.2, respectively) in combination with a failure of the microcontroller. These 
failures of the watchdog or switch SW are relevant, if (and only if) at least one of them occurs 
before failures of pC. But if pC fails first, while WD as well as SW are operational, i.e. have 
not failed, or have failed, but “in a safe direction”, it is assumed, that this was detected and 
thus the system is disabled. Further dangerous consequences are then ruled out. Furthermore, 
dependent failures, and especially common cause failures (CCF), are not considered in this 
example. 

Failures of pC may not be easily attributed to specific hardware faults, as pC’s functionality 
is largely realised in software. It is assumed, that the different failures of pC - numbers 9 to 17 
in table 7.2 - occur independent from each other. 


7.2 Temporal Fault Tree 

A temporal fault tree for the example system is to be created. It shall provide evidence that no 
dangerous single failure leads to a direct infraction of the safety goal; this is called “single failure 
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resistance”. Furthermore, an MCSS analysis shall provide the most relevant combinations of 
dangerous failures. A probabilistic quantification shall then provide evidence that the system’s 
failure rate stays below the threshold as defined for ASIL D in ISO 26262. 


The TOP event of the fault tree is the “infraction of the safety goal”, i.e. the “errornous current 
feed through the actuator”. As the system has time-dependencies between its components’ 
failures, it is necessary to use temporal fault tree gates. Figures 7.2 bis 7.4 show the temporal 
fault tree for the example system, split into three parts. The basic events’ numbers correspond 
to those in table 7.2. 


In total the temporal fault tree consists of 32 gates and 34 basic events. There are 16 meshed 
gates and 18 meshed basic events. Two of the gates are PAND gates, which appear three times 
because of meshings. These temporal gates represent sub fault trees with ten different basic 
events and ten different gates. 
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Figure 7.3: Fault tree of the example system from figure 7.1, part 2. 



Figure 7.4: Fault tree of the example system from figure 7.1, part 3. 
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7.3 Qualitative Analysis of the Temporal Fault Tree 

7.3.1 Temporal Failure Function 

The failure function for the TOP event is directly read from the fault tree in figures 7.2 to 7 . 4 : 



A ( X28 V [{Xi V X13) A (X5 V X15)] V [(X27 V Xis) X Xio] j . ( 7 . 1 ) 

c 

Substitutions B, and C facilitate further simplification: 

m = ^^30 V X34 V X38 V [yl A i?] ^ A ^^32 V V X38 V [yl A i?] ^ A = 

= [-^30 A X32 A C] V [X30 A ^30 A C] V [X30 A X38 A C] V [X30 A{AAB) AC] V 

V [X34 A X32 A C] V [X34 A XsQ A C] V [X34 A X38 A C] V [X34 A (yl A B) A C] V 

V [X38 A X32 A C] V [X38 A XsQ A C] V [X38 A X38 A C] V [X38 A (yl A i 3 ) A C] V 

V [(AAB) AX32 AC] V [(^A.B) AX36 AC] V [(A A B) A X38 A C] V 

v[{aab)a{aAb)ac]. ( 7 . 2 ) 

Applying the laws of absorption and idempotency yields 

w = [A30 A A32 A C] V [A30 A A36 A C] V [A34 A X32 A C] V 

V [A34 A X36 A C] V [A38 A C] V [{A AB)AC] . ( 7 . 3 ) 

The next chapter transforms the temporal failure function from ( 7 . 3 ) according to the laws 
of temporal logic. The analysis of the resulting MCSS of zu follows in chapter 7 . 3 . 3 . 


7.3.2 Transformation According to the Temporal Logic Rules 

MCSS of the First Five Terms in ( 7 . 3 ): 

The temporal failure function in ( 7 . 3 ) has five parts 

[^"30 A A32 A C], [X30 A ^30 A C], [A34 A X32 A C], [A34 A X30 A C], [A38 A C] ( 7 . 4 ) 

that have no reference to event yl. Basic events X30, A^32, A^34, ^ 36 ; ^38 are not also included in 
C. If each of these five expressions is combined with the TDNF of C, i.e. 

C = A28 V (A1X5) V (AiAis) V (X5X13) V (X13X15) V (A27 A Xio) V (X18 A Aio) , ( 7 . 5 ) 

They provide nine different event sequences each, as shown here for the one example with 
-A38 A C: 

A38 A C = A38 A [A28 V (A1X5) V (AiXis) V (X5A13) V (X13X15) V 
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V(X 27 AXio)V(Xi 8 AXio)] . ( 7 . 6 ) 

Next, this provides five event sequences each, like in 

, [-^ 38 -^l-^ 15 ] ) [-^ 38 -^ 5 -^ 13 ] , [-^38-^13-^15] , [-^ 28 -^ 38 ] • ( 7 . 7 ) 

Furthermore, there are four additional event sequences (without SAND) from A38 A (-A18 AXiq) 
und A38 A (A27 A Xio): 

[(-A18-A38) A Aio], [-A18 A Xio A A38] , [(A27A38) A Aio], [-A27 A Xio A ^33] . ( 7 . 8 ) 

In total there are 45 event sequences, as shown in table 7 . 3 . 


(extended) MCSS of rank two: 

1 : A28A38 


(extended) MCSS of rank three: 

1 : A28A30A32 

7 : A28A30A36 

2: A28A32A34 

8 : A 28 A 34 A 3 e 

3 : A18AA10AA38 

9 : A27AA10AA38 

4 : (Ai 8 A 38 )KAio 

10 : (A27A38) A Aio 

5 : A38A1A5 

11 :A 38 AiAi 5 

6: A38A5A13 

12: A38A13A15 

(extended) MCSS of rank four: 

1: A1A5A30A32 

17 : A1A5A30A36 

2: A1A15A30A32 

18 : A1A15A30A36 

3 : A13A5A30A32 

19 : A13A5A30A36 

4 : A13A15A30A32 

20: A13A15A30A36 

5 : A1A5A32A34 

21 :AiA 5 A 34 A 36 

6: A1A15A32A34 

22: A1A15A34A36 

7 : A13A5A32A34 

23 : A13A5A34A36 

8: A13A15A32A34 

24 : A13A15A34A36 

9 : Ai8 a Aio A (A30A32) 

25 : A27 A Aio A (A30A32) 

10 : Ai 8 a Aio A (A30A36) 

26 : A27 A Aio A (A30A36) 

11 :Ai 8 KAio 7 \(A 32 A 34 ) 

27 : A27 A Aio A (A32A34) 

12: Ai8 a Aio A (A34A36) 

28 : A27 A Aio A (A34A36) 

13 : (Ai 8 A 3 oA 32 )AAio 

29 : (A27A30A32) A Aio 

14 : (A18A30A32) A Aio 

30 : (A27A30A32) A Aio 

15 : (A18A32A34) A Aio 

31 : (A27A32A34) A Aio 

16 :(Ai 8 A 34 A 36 )KAio 

32 : (A27A34A36) A Aio 


Table 7 . 3 : MCSS of ranks two, three, and four, resulting from the first five expressions in ( 7 . 3 ). 

Simplification of A AB: 

First, AAB has to be broken apart. Because of limited space in this thesis, only the first 
transformational steps are shown, as relevant for understanding the basic concept. B may be 
transformed into the following DNF: 

B = Aio V (AiAs) V (AiAis) V (A5A13) V (A13A15) = Aio V r? . ( 7 . 9 ) 

According to the temporal distributive law for temporal expressions of type I - see ( 4 . 76 ) -, 

A A B = [~i r/ A (A A Aig)] V [“> Xiq A [A A 77)] V [A A (Aiq A 77]] = 
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= [-(X1X5 V X1X15 V X5X13 V X13X15) A (yl A Xio)] V 

V [- Xio A A (X1X5 V X1X15 V X5X13 V X13X15))] V 

V [A A (Xio A (X1X5 V X1X15 V X5X13 V X13X15))] = 

= r/i V r/2 V % . ( 7 . 10 ) 

Expression ryi may then easily be transformed into a TDNF: 

m = -(XiX5VXiXi5VX5Xi3VXi3Xi5)A(^AXio) = 

= [(“'-^1 “'-^13) A (vl AXio)] V [(-iXs-1X15) A (yl AXio)] • ( 7 - 11 ) 

Expression r]2 is more complex and thus is transformed step by step: 

rj 2 = - Xio A (-(X1X15 V X5X13 V X13X15) A (A A (X1X5))) V 

V - Xio A (-(X1X5) A (A X (X1X15 V X5X13 V X13X15))) V 

V -Xioa( 71 a((XiX 5 )A(XiXi 5 VX 5 Xi 3 VXi 3 Xi 5 ))) = 

= ?? 2 a V r/ 2 b V 772c • ( 7 - 12 ) 

The first expression in ( 7 . 12 ) provides three event sequences - 

??2a = “■ Aflo A [([-iXi-■ X13] V [-1X5-iXis] V [-■ Xi3-■ X15]) A (yl A (X1X5))] = 

= [(“■ Xi-iXio-■ X13) A (^ A (X1X5))] V 

V [(-■ X5 -■ Xio -■ X15) A (yl A (X1X5))] V 

V [(-iXio-iXis-1X15) A (A A (X1X5))] ~ ( 7 - 13 ) 

but only the third of these does not yield False, if rules ( 4 . 51 ) and ( 4 . 52 ) are applied. 
Therefore, 

r/2a = [(- Xio - Xi3 - X15) A (A A (X1X5))] . ( 7 . 14 ) 

The second expression in ( 7 . 12 ) itself provides three expressions: 

V2h = h Xio -(X1X5)) A (-(X5X13 V X13X15) A (A X (X1X15))) V 

V (- Xio -(X1X5)) A (-(X1X15) A (^ X (X5X13 V X13X15))) V 

V (- Xio -(X1X5)) A (yl X ((X1X15) A (X5X13 V X13X15))) = 

= ??2bi V r]2h2 V r]2h3 ■ ( 7 . 15 ) 

Using the rules in ( 4 . 51 ) and ( 4 . 52 ) on 

^2bl = (“■ Xio-'(X1X5)) A [(-1X13 V [-■ X5-iXis]) A (^4 A (X1X15))] = 

= [(“'Xi-iXio-iXis) A (yl A (X1X15))] V 

V [(- X5 - Xio - X13) A ( 71 X (X1X15))] V 

V [(-■ Xi -■ X5 -■ Xio -■ X15) A (yl X (X1X15))] V 

V [(-■ X5 -■ Xio “■ X15) A (yl X (X1X15))] 


( 7 . 16 ) 
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leaves only 

??2bi = [(“■-^5 “'^10 “■-^13) A (A A (X1X15))] . ( 7 . 17 ) 

The second part of ( 7 . 15 ) again provides three expressions, i.e. 

V2h2 = (- ^10 A (- V [- X5 - X15])) A (-(X13X15) A (yl X (X5X13))) V 

V (- Xio A (- Xi V [- X5 - X15])) A (-(X5X13) A (^ A (X13X15))) V 

V (-■ Xio A (-■ Xi V [-■ X5 -■ X15])) A A ((X5X13) A (Xi3Xi5))^ = 

= ??2b2a V r/2b2b V r/2b2c . ( 7 . 18 ) 

Because of rules ( 4 . 51 ) and ( 4 . 52 ), the first of these expressions may be simplified to 

??2b2a = [“■ Afio A (-iXi V [-1X5-1X15]) A -'(X13X15)] A (A A (X5X13)) = 

= (“■ Xi-1 Xio-'X13) A (yl A (X5X13)) V 

V (-■ Xi -■ Xio -■ X15) A (yl A (X5X13)) V 

V (-1X5-iXio-iXis) A (yl A (X5X13)) V = 

= [(-iXi-iXio-iXis) A (^ A (X5X13))] . ( 7 . 19 ) 

The same steps repeated for the second expression yield 

??2b2b = [“'Xio A (-iXi V [-■ X5-■ X15]) A-'(X5X13)] A (yl A (X13X15)) = 

= [(-Xi-X 5 -Xio)A(ylA(Xi 3 Xi 5 ))] . ( 7 . 20 ) 

Because of 

(X5X13) A (X13X15) = [(X5X15) A X13] V [Xi3 A (X5 A X15)] V [Xi5 A (X5 A X13)] V 

V [X5 A (Xi3 A X15)] V [X5 A Xi3 A X15] ( 7 . 21 ) 

the third expression in ( 7 . 18 ) provides 

V2h2c = (“'Xi-iXio) A ^yl A [(X5X15) AX13] Vyl A [Xi3 A (X5 AX15)] V ( 7 . 22 ) 

V yl A [Xi5 A (X5 A X13)] V yl A [X5 A (X13 A X15)] V yl A [X5 A X13 A X15] ^ , 

but only event sequence (-'Xi-iXio)A [(yl A X5 A X15) A X13] is free of SANDs. Therefore, 
only this one event sequence is taken into account, as in this example dependent failures are 
not considered, see chapter 7 . 1 . 2 . 

Inserting ( 7 . 22 ) and ( 7 . 20 ) and ( 7 . 19 ) into ( 7 . 18 ) provieds three event sequences 

r/2b2 = [(- Xi - Xio - X15) A (A X (X5X13))] V 

V [(- Xi - X5 - Xio) A (A X (X13X15))] V 

V [(- Xi - Xio) A ((A A X5 A X15) X X13)] . ( 7 . 23 ) 

The third expression from ( 7 . 15 ) is still open. Using the same steps, it may be simplified to 

?? 2 b 3 = (-Xio-(XiX 5 ))a(aX((XiXi 5 )A(X 5 Xi 3 VXi 3 Xi 5 ))) = 
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= (- Xio -(X1X5)) A (-(X13X15) A X ((X1X15) A (X5X13)))) V 

V (- Xio -(X1X5)) A (-(X5X13) A (A A ((X1X15) A (X13X15)))) V 

V (- Xio -(X1X5)) A (a X ((X1X15) A (X5X13) A (X13X15))) . 

Applying rules ( 4 . 51 ) and ( 4 . 52 ) provides a simplified r]2h3- 

V2h3 = Fafee V [(-lAio-'(XiAs)-■(X5A13)) A ((A A Ai A X13) X A15)] V False = 

= [(-X 5 -Xio)A((AaXiAXi 3 )XXi 5 )] . ( 7 . 24 ) 

The results in ( 7 . 24 ) and ( 7 . 23 ) and ( 7 . 17 ) are inserted into ( 7 . 15 ), which provides the hve 
event sequences (again withouth SANDs) of 772b- 

Transformation of expressions t]2c and ^2 and 773 is carried out analogously to the detailled 
steps from above. This is not described explicitely. 

Expression 772c from ( 7 . 12 ) provides two expressions (again without SAND): 

me = [(- ^10 - Afis) A ((A A Xi A X13) X As)] V 

V [(- Alo - A13) A ((A A As A Ais) X Ai)] . ( 7 . 25 ) 

Together with ( 7 . 14 ) and ( 7 . 15 ) m therefore yields eigth event sequences (without SAND). 

Then, expression 773 provides only event sequences with at least one SAND and is therefore 
not considered further. 

In total, AAB therefore yields two event sequences without SAND from 771, see ( 7 . 11 ), and 
eigth event sequences from 772: 


AaB = [(-Ai-Ai3)A(AXAio)] V 

(ESI) 

v[(-As-Ais)A(AXAio)] V 

(ES 2 ) 

V [(-1 Alo -■ Ai3 -1 Ais) A (A A (AiAs))] V 

(ES 3 ) 

V [(- As - Aio - A13) A (A X (AiAis))] V 

(ES 4 ) 

V [(- Ai - Aio - Ais) A (A X (AsAi 3 ))] V 

(ES 5 ) 

V [(-■ Ai -■ As -■ Aio) A (A A (A13A1S))] V 

(ES6) 

V [(- Ai - Aio) A ((A A As A Ais) X A13)] V 

(ES 7 ) 

V [(- As - Aio) A ((A A Ai A A13) X Ais)] V 

(ES8) 

V [(- Aio - ^15) A ((A A Ai A A13) X As)] V 

(ES 9 ) 

V [(-■ Aio -■ A13) A ((A A As A Ais) X Ai)] • 

(ESIO) ( 7 . 26 ) 

Below, identihers (ESI) to (ESIO) are used as a reference to the respective event sequence. The 
transformation of A is done using the temporal distributive law for temporal expressions of type 
II according to ( 4 . 78 ). Applying ( 7 . 26 ) and further simpliheation then yields 28 different event 

sequences for A A B. 


(Ai V As V A20 V A22 V A24) A B = ... = 


= [(“■ “■ -A13) A ((As V A20 V A22 V A24) X Aio)] V 

(from ESI) 

V [(“■ As -1 Ais) A ((Ai V A20 V A22 V A24) A Aio)] V 

(from ES 2 ) 

V [(- Aio - ^13 - ^15) A ((A20 V A22 V A24) X (Ai As))] V 

(from ES 3 ) 

V [(-■ Aio Alls -Ais) A (Ai X As)] V 

(from ES 3 ) 
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V [(-■ Xio -■ Xis -■ X15) A (X5 A Xi)] V 

V [(-' X5 -1 Xio -■ X13) A {{X20 V X22 V X24) A (X1X15))] V 

V [(- X5 - Xio - X13) A (Xi A X15)] V 

V [(- Xi - Xio - X15) A ((X20 V X22 V X24) 7 \ (^5^13))] V 

V [(-■ Xi -■ XiQ -■ X15) A (X5 A X13)] V 

V [(- Xi - X5 - Xio) A ((X20 V X22 V X24) 7 \ (X13X15))] V 

V [(-■ Xi -■ Xio) A ((X5 A X15) A X13)] V 

V [(- X5 - Xio) A {{Xi A X13) A X15)] V 

V [(- Xio - X15) A {{Xi A X13) A X5)] V 
V[(-Xio-Xi3)A((X5AXi5)AXi)] . 


(from ES 3 ) 

(from ES 4 ) 

(from ES 4 ) 

(from ES 5 ) 

(from ESS) 

(from ES 6 ) 

(from ES 7 ) 

(from ESS) 

(from ES 9 ) 

(from ESIO) ( 7 . 27 ) 


Thus, AaB alone provides 12 event sequences of rank two and 16 event sequences of rank three. 


Simplification of (AaB) AC: 

Using the TFTA’s temporal logic, the meshing between event B and C in the sixth and last 


sub-expression of ( 7 . 3 ) may be solved. 

According to ( 7 . 1 ) B and C are given as 

B = Aio V [(Ai V A13) A (As V Ais)] and ( 7 . 28 ) 

C = A28 V [(Ai V A13) A (As V Ais)] V [(A27 V Ais) A Aio] . ( 7 . 29 ) 

Further substitution with 

L> = (Ai V A13) A (As V Ais) = ^ 1^5 V AiAis V A5A13 V A13A1S ( 7 . 30 ) 

uncovers the relationship between B and C: 

B = Aio V D and ( 7 . 31 ) 

C = A28 V H V ((A27 V Ai8) a Aio) ■ ( 7 . 32 ) 

Applying ( 7 . 31 ) and ( 7 . 32 ) provides 

{AAB)AC = (AaB) a(A28VT)V((A27VAi8) AAio)) = 

= [{A AB)A A28] V [{A AB)AD]U [(A AB)A ((A27 V A18) X Aio)] • ( 7 . 33 ) 

The first expression yields (without SAND) 

(A A B) A A28 = [A A B A Aas] V [(A A A28) A B] . ( 7 . 34 ) 


The TDNF of (AaB) AA28 consists of 56 MCSS in total. [AAilAA28] provides 28 MCSS, 
each similar to those in ( 7 . 27 ) but extended by an additional A28. [(A A A28) A B] also provides 
28 MCSS similar to those in ( 7 . 27 ). Instead of A the expression AAA28 is used, respectively. 
24 of the MCSS are of rank three and 32 of the MCSS are of rank four. 

The second expression in ( 7 . 33 ) provides (without SAND) 

{AAB)AD = (AA(Aio VD)) AD = ... = 

= [ “1 Aio (^ 74)] V [a a Aio C D] . 


( 7 . 35 ) 
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[-1 Xio A A L>)] provides 20 MCSS similar to those in ( 7 . 27 ). As D does not include event 
XiQ (other than B), the first eight event sequences may be dropped, i.e. the first two rows in 
( 7 . 27 ). In the other rows the Aio are also dropped. Therefore, 

AaD = ^ A . ( 7 . 36 ) 

For expression [ -■ Aio A (A A D)] only four MCSS of rank two and 16 MCSS of rank three 
remain, see ( 7 . 37 ). 

-1 Xio A {A AD) = [(-1 Aio -■ Xi3 -1 Ais) A ((X20 V A22 V A24) A (A1X5))] V 

V [(- Aio - Xi 3 - Ais) A (Ai A As)] V 

V [(-■ Aio -■ Ai 3 -■ A15) A (As A Ai)] V 

V [(- As - Aio - A13) A ((A20 V A22 V A24) X (AiAis))] V 

V [(-■ As -■ Aio -■ A13) A (Ai A Ais)] V 

V [(- Ai - Aio - Ais) A ((A20 V A22 V A24) X (AsAis))] V 

V [(-■ Ai -■ Aio “■ Ais) A (As X A13)] V 

V [(- Ai - As - Aio) A ((A20 V A22 V A24) X (A13A1S))] V 

V [(-■ Ai -■ Aio) A ((As A Ais) X A13)] V 

V [(-■ As -■ Aio) A ((Ai A A13) X Ais)] V 

V [(-■ Aio “■ Ais) A ((Ai A A13) X As)] V 

V [(- Aio - A13) A ((As A Ais) X Ai)] . ( 7 . 37 ) 

The expression in ( 7 . 37 ) provides 20 MCSS. Because of the additional Aio, four of those MCSS 
are of rank three and 16 are of rank four, see ( 7 . 38 ). 

- Aio A{AaD) = [(- Ai3 - Ais) A ((A20 V A22 V A24) X Aio X (Ai As))] V 

V [(- Ai3 - Ais) A (Ai X Aio X As)] V 

V [(- Aio - Ai3 - Ais) A (As X Aio X Ai)] V 

V [(- As - A13) A ((A20 V A22 V A24) X Aio X (AiAis))] V 

V [(-■ As -■ Aio “■ ^13) A (Ai X Aio A Ais)] V 

V [(- Ai - Ais) A ((A20 V A22 V A24) X Aio X (AsAis))] V 

V [(-■ Ai -■ Aio “■ ^15) A (As X Aio X A13)] V 

V [(- Ai - As) A ((A20 V A22 V A24) X Aio X (AisAis))] V 

V [-■ Ai A ((As A Ais) X Aio X A13)] V 

V [-■ As A ((Ai A A13) X Aio X Ais)] V 

V [-■ Ais A ((Ai A A13) X Aio X As)] V 

V [- Ai 3 a ((As a Ais) X Aio X Ai)] . ( 7 . 38 ) 

The transformation of the third expression ^{A7\B) A ((A27V Aig) X Aio)], see ( 7 . 33 ), is best 
demonstrated separately for each of the event sequences (ESI) to (ESIO) in ( 7 . 26 ). 

(ESI) and (ES 2 ) differ in the relevant events; therefore 

(ESI) : [(- Ai - A13) A ((As V A20 V A22 V A24) X Aio)] A ((A27 V Aig) X Aio) = 

= (- Ai - A13) A ((AsAis) V (A20A18) V (A22A18) V (A24A18) V 
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V (X5X27) V (X20A27) V (^22^27) V (^24^27)) A XiQ and 

(ES 2 ) : (- X5 - X15) A ((XiXis) V (X20X18) V (X22X18) V (X24X18) V 

V (X1X27) V (^20^^27) V (^22^27) V (^24-^27)) A XiQ . ( 7 . 39 ) 

The first part of (ES 3 ) provides 

(ES 3 ) : [(- Xio - Xi 3 - X15) A ((X20 V X22 V X24) A (X1X5))] A {{X27 V X18) A Xio) . 

( 7 . 40 ) 

Further simplification yields only event sequences of rank five and higher. These are not further 
considered, as they are far more improbable than the other MCSS, which contribute significantly 
more. Such a reduction of the necessary effort is state of the art in conventional ETA, too. The 
same is true for the simplification of the first part of (ES 4 ) and (ESS), as well as for all of (ES 6 ) 
to (ESIO). 

The second part of (ES 3 ) provides four MCSS of rank four: 

(ES 3 ) : [(- Xio - Xi 3 - X15) A (Xi A A5)] A ((A27 V X18) X Xio) = 

= [(“■ -^13 -^15 “■ -^27) A {Xi A A5 A Ai 8 a Xio)] V 

V [(-■ Xi3 -1 Ai5 - 1 X18) A {Xi A X5 A A27 A Xio)] V 

V [(-■ Xi3 -■ Ai 5 -■ X27) A ((AiA i8) a A5 a Aio)] V 

V [(- Ai 3 - Ai 5 - Ai 8 ) a ((Ai A27) A As A Aio)] . ( 7 . 41 ) 

Analogously, the third part of (ES 3 ) and the second parts of (ES 4 ) and (ESS) also provide 
four MCSS of rank four, respectively: 

(ES 3 ) : [(- Aio - Ai 3 - A15) A (A5 A Ai)] A ((A27 V A18) X Aio) = 

= [(- Ai 3 - Ais - A27) A (As X Ai X Ai 8 X Aio)] V 

V [(-■ Ai 3 -■ Ais -■ Ai8) a (As A Ai X A27 X Aio)] V 

V [(- Ai 3 - Ais - ^27) A ((A5A18) X Ai X Aio)] V 

V [(- Ai 3 - Ais - ^is) A ((A5A27) X Ai X Aio)] ■ ( 7 . 42 ) 

(ES 4 ) : [(- As - Aio - ^13) A (Ai X Ais)] A ((A27 V Aig) X Aio) = 

= [(- As - Ai 3 - A27) A (Ai X Ais X Ai 8 X Aio)] V 

V [(-■ As -■ Ai 3 -■ Ais) A (Ai X Ais X A27 X Aio)] V 

V [(- As - Ai 3 - A27) A ((Ai Ais) X Ais X Aio)] V 

V [(- As - Ai 3 - Ais) A ((Ai A27) X Ais X Aio)] • ( 7 . 43 ) 

(ESS) : [(- Ai - Aio - ^15) A (A5 X A13)] A ((A27 V Aig) X Aio) = 

= [(- Ai - Ais - ^27) A (As X Ai 3 X Ais X Aio)] V 

V [(-■ Ai -■ Ais “■ -^is) A (As A Ai3 X A27 A Aio)] V 

V [(- Ai - Ais - ^27) A ((AsAis) X Ai 3 X Aio)] V 

V [(- Ai - Ais - ^is) A ((AsA 27 ) X Ai 3 X Aio)] ■ ( 7 . 44 ) 

7.3.3 Analyis of the MCSS 

The MCSS of the temporal failure function w are derived from the event sequences of the sub¬ 
expressions in ( 7 . 3 ), which are not necessarily already MCSS, i.e. there could be intersections 
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and overlaps between these individual expressions. In general, MCSS of smaller rank are those 
with higher importance. Therefore, the following discussion focusses on MCSS of rank two and 
three. 


Event Sequences of the Resulting Expressions 

The expresions’ event sequences of rank two and three are listed in table 7 . 4 . They are derived 
from table 7.3 on page 92 as well as the equations ( 7 . 34 ), ( 7 . 37 ), ( 7 . 38 ), and ( 7 . 39 ). 


(extended) event sequences of rank two: 

1 : Xi 7 \X 5 3 : XiKXi^ 5 : 

2 : XsKXi 4 : X5 K X13 

(extended) event sequences of rank three: 


1: 

X28 A X30 A X32 

25 

2: 

X28 A X30 A Xgo 

26 

3 : 

X28 A X32 A X34 

27 

4 : 

X28 A X34 A X36 

28 

5 : 

X18 A Xio A X38 

29 

6: 

(X18 A X38) A Xio 

30 

7 : 

Xi A Xs A X38 

31 

8: 

Xi A X15 A X38 0 

32 

9 : 

X5 A X13 A X38 0 

33 

10 

X13 A X15 A X38 

34 

11 

X27 A Xio A X38 

35 

12 

(X27 A X38) A Xio 

36 

13 

X5 A Xio A X28 

37 

14 

X20 A Xio A X28 

38 

15 

X22 A Xio A X28 

39 

16 

X24 A Xio A X28 

40 

17 

Xi A Xio A X28 

41 

18 


42 

19 


43 

20 


44 

21 

Xi A X5 A X28 

45 

22 

X5 A Xi A X28 

46 

23 

Xi A Xi 5 A X28 

47 

24 

X5 7 \ X13 A X28 

48 


(475 A 4 f 28 ) A Xio 49 

(X 2 oAX 28 )KXio 50 

(X22 A X28) A Afio 51 

(X24 A X28) A Afio 52 

(XiAX28)AXio 53 

56 

(XiAX28)KX5 57 

(X5AX28)AXi 58 

(XiAX28)AXi5 59 

(X 5 A X2s) A X 13 60 

X 2 oX(X4AX5) 61 

X 22 K (Xi A XQ 62 

X 24 A (Xi A X 5 ) 63 

X2oA(XiAXi5) 0 64 

^22A(XiAXi5) 0 65 

X24K(XiAXi 5) o 66 

X2oK(X5AXi3) 0 67 

X22A(X5AXi3) O 68 

X24A(X5AXi3) 0 69 

^20A(Xi3AXi5) 70 

X 22 K(Xi 3 AXi 5 ) 71 

^24 7\(Xi3AXi5) 72 


-C28 A X^g, 


Xi A Xio A Xs 
Xg A X40 A X4 
Xi A Xio A X15 
X5 A Xio A X13 
{Xg A Xis) A Xio 
(Afi8 A X20) A Xio 
(Afi8 A X22) A XiQ 
(Afi8 A X24) A Xio 
{XiAXis) 7 \Xio 

{Xg A ^27) A Xio 
(X20 A X27) A Xio 
(X22 A X27) A Xio 
(X24 A X27) A Xio 
(Xi A X27) A Xio 

(X5 A X15) A X13 
(Xi A X13) A X15 

(XiAXi3)KX5 

(X5AXi5)KXi 


Table 7 . 4 : Event sequences of rank two and three. Event sequences which are included more 
than once have an (Junderwaye((, non-minimal event sequences are striked through , 
“partly” non-minimal event sequences are marked with 0- 


Minimal Form and MCSS of the Failure Funktion 

A total of 12 of the 77 event sequences in table 7.4 are included at least twice and may be 
omitted using the law of idempotency. A further 20 event sequences are non-minimal and also 
omitted. The extended event sequences number 8 and 9 and 40 to 45 , i.e. 


[Xi A Xi5 A Xss], [X5 A Xi3 A Xas], 

[X20 A (Xi A X15)], [X22 A (Xi A X15)], [X24 A (Xi A X15)] 
[X20 A (X5 A X13)], [X22 A (X5 A X13)], [X24 A (X5 A X13)] 


( 7 . 45 ) 
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are “partly” non-minimal with respect to the MCSS of rank two, i.e. 

[XiAXis] and [X5AX13] . ( 7 . 46 ) 

Therefore, it is necessary to break up the extended event sequences in order to separate their 
minimal and non-minimal parts. 

For example, the event sequence X20 ^ (^1 A X15) provides (without SAND) two non-extended 
(normal) event sequences, i.e. 

X20 A (Ai A X15) = [(XiA20) A X15] V [(X15X20) A Xi] , ( 7 . 47 ) 

where the first is non-minimal with respect to Xi XX15. 

In analogy to that, 

Xi A Xi5 A X38 = [(Xi A X15) A X38] V [(Xi5 A Xi) A X38] • ( 7 . 48 ) 

Only the second event sequence is minimal. It is first transformed into a TDNF, thus 

(Xi5 A Xi) A X 38 = [Xi5 A Xi A X 38 ] V [(Xi5 A X 38 ) A Xi] . (7.49) 

Therefore, the two partly minimal event sequences number 8 and 9 provide four minimal MCSS. 

Table 7.5 shows a cleaned up list, in which only MCSS of rank two and three of the failure 
function w are shown. 


1 

2 

X1AA5 

X5AA1 

(extended) MCSS of rank two: 

3 : XiA 41 i 5 

4 : X5A4I13 

5 : 

X28 A X38 



(extended) MCSS of rank three: 



1 

X28 A A30 A X32 

15 

(4I5 A X28) A 41 io 

29 

X20 A Xio A X28 

2 

X28 A A30 A A36 

16 

(X20 A X28) A 41 io 

30 

X22 A Xio A X28 

3 

X28 A A32 A A34 

17 

(4I22 A X28) A 41 io 

31 

X24 A Xio A X28 

4 

X28 A A34 A A36 

18 

(X24 A X28) A 41 io 

32 

Xi A Xio A X28 

5 

X18 A Aio A 7^38 

19 

(Xi A X28) A Xio 

33 

(X5AXi8)KXio 

6 

(X18 A X38) A Xio 

20 

(Xi5AX2o)AXi 

34 

(X18 A X20) A Xio 

7 

X15 AXi A X38 

21 

(Xi5AX22)AXi 

35 

(X18 A X22) A Xio 

8 

(Xis A X38) A Xi 

22 

(X15 A X24) A Xi 

36 

(X18 A X24) A Xio 

9 

X13 A X^ A 4138 

23 

(Xi3 A X20) A X5 

37 

(XiAXi8)KXio 

10 

: (X13 A 4138 ) A ATs 

24 

(X13 A X22) A X5 

38 

(X5 A X27) A Xio 

11 

: 41 i 3 a 41 i 5 A 4I38 

25 

(Xi3_AX24)AX5 

39 

(X20 A X27) A Xio 

12 

: 4I27 A 41 io A 4I38 

26 

X20 A (X13 A X15) 

40 

(X22 A X27) A Xio 

13 

: (4I27 A 4I38) A 41 io 

27 

X22 A (X13 A X15) 

41 

(X24 A X27) A Xio 

14 

: 4I5A4I10AX28 

28 

X24 A (X13 A X15) 

42 

{Xi A X27) A Xio 


Table 7 . 5 : MCSS of rank two and three. This table is a version of table 7 . 4 , but stripped of 
non-minimal event sequences and duplicates. 


Results 

The MCSS of the failure function are all of ranks two and higher. Therefore, no single failure 
within the system as modelled leads directly to an infraction of the safety goal. The example 
system thus satisfies the requirement of single-failure-resistance, as described in chapter 7 . 2 . 

The most important combinations of dangerous failures, that lead to an infraction of the 
safety goal, are MCSS of rank two and three. The five MCSS of rank two are 
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1 . either failures of the two sensors following each other. In this case ENl would be activated 
by the first sensor failure, and SAF would be activated by the second sensor failure. These 
two failures may occur in arbitrary sequence. 

2 . or one sensor failure in combination with a failure of pC. The sensor failure needs to occur 
before the failure of the pC, otherwise the sequence logic in L would not be activated. 

3 . or am failure of T 3 in combination with a failure of L, which activates both power stages. 
These two failures may occur in arbitrary sequence. 

MCSS of rank three are e.g. 

1 . a double failure of the high side and the low side of the driver in combination with an 
internal failure in T 3 . No sequence logic has to be respected here. Specifically, numbers 
1 to 4 in table 7.5 are combinations of this type. 

2 . failures of the system ASIC in combination with failures of the pC and/or sensor failures. 
Specifically, numbers 20 to 28 in table 7.5 are combinations of this type. 

3 . a failure of the watchdog or of the emergency switch in combination with an ASIC failure, 
where both occur before an additional failure of the pC, see, for instance, numbers 34 to 
36 and 39 to 41 in table 7 . 5 . 

4 . a failure in one of the sensors in combination with a failure of the watchdog or the emer¬ 
gency switch, where both occur before an additional failure of the pC, see, for instance, 
numbers 33 , 37 , 38 , and 42 in table 7 . 5 . 

7.4 Probabilistic Analysis of the TOP Failure Parameters 

The qualitative analysis of the temporal fault tree is used as evidence that the system stays below 
the threshold for failure rates as required by ISO 26262 for ASIL D systems. This threshold is 
given as < 1 • 10“® ^ for any operating hour during the whole mission time. 

In order to do so, it has to be demonstrated, that the failure rate of the TOP event Xtop 
stays below this threshold. 

Because of fropiTM) ~ XtoPi see ( 5 . 59 ), it is sufficient to use the TOP event’s failure 
frequency as a good approximation. 

Furthermore, an iterative multi-step approach is chosen, that reduces effort and is used in 
similar fashion in many real world FTA analyses. First, an approximation with conservative 
estimations of the failure rates is used that allows for a first overview. 

The evidence is sufficiently produced if, using this approach, the thresholds, as required by 
the safety standard, are not exceeded. If this can not be shown, the next step is to determine 
the failure rates more exactly and/or use exact calculations instead of approximations - and to 
possibly restrict the further analysis to the most important contributors as identified in the first 
step’s overview. The termination condition for these steps is that the thresholds, as required 
by the safety standard, are no longer exceeded. 

Because of this, in the following discussion the MCSS are not transformed into a mutually 
exclusive (disjoint) form. Instead, the approximation approach from chapter 5.5 is used. This 
corresponds to the bottom most path in figure 3.1 on page 18 . 

Quantification of the failure function zu is carried out using its MCSS from table 7 . 5 . All 
basic events are allocated the same failure rate of A = 10 “® p 
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Table 7.6 shows failure probabilities and failure frequencies according to (5.74) and (5.75) for 
each MCSS from table 7.5. The mission time is given as Tm = lOOOh. 


1: T = 5-10"'^;/ = l-10"® i 
2: T = 5-10"'^;/ = l-10"® 1 


1 : 

2 : 

3: 

4: 

5: 

6 : 

7: 

8 : 

9: 

10 

11 

12 

13 

14 


T = M 0 "^/ = 3-10"^^ i 
T = M0"^/ = 3-10"^^ i 
T = M 0 -’^;/ = 3-10-i 2 i 

T=|- 10 -®;/ = M 0 -i^ i 

T = M 0 "^/ = 3-10"^^ i 

T=i- 10 “^/ = 1 - 10 "^^ i 
T=TlO-®;/ = MO-i2i 


3: 

4: 


15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 

26 

27 

28 


MCSS of rank two: 

T = 5-10-’’;/ = M 0 -® i 
T = 5-10"’’;/ = M0“® i 


MCSS of rank three: 

F=1-10"®;/ = M0“^^ 1 
F= 1 - 10 "®;/ = M 0 “^^ 1 
T=|.10-®;/ = M0-i2i 

T=|- 10 -®;/ = M 0-12 i 

T= 1 - 10 "®;/ = M 0“^2 1 
F=|.10-'>;/ = M0-i2i 

F=|- 10 -®;/ = 2 - 10-12 i 
F=|-10"®;/ = 2-10“^^ 1 
T=|-10"®;/ = 2-10“^^ i 


5: T = l-10"®;/ = 2-10"® i 


29 

30 

31 

32 

33 

34 

35 

36 

37 

38 

39 

40 

41 

42 


T=|- 10 -®;/=M 0-'2 1 

T=|-10-®;/=M0-i2 1 
T=|-10-®;/=M0-i2 1 

T=|- 10 -®;/=M 0-^2 i 

T=|.10-®;/=M0-i2i 
T=|- 10 -®;/=M 0-^2 i 
T=|-10-®;/=M0-^2 i 
T=|-10-®;/=M0-^2 i 


Table 7.6: Failure probabilites and failure frequencies according to (5.74) and (5.75) for each 
MCSS from table 7.5. 

Failure characteristics at TOP event level are then calculated using (5.55) and (5.56), respec¬ 
tively, as sum of the individual MCSS’ contributions. Using the values from table 7.6 yields 

Ftop{Tm) ^3,017-10-^ and (7.50) 

/TOp(rM)- 6,055-10-9 1 . (7.51) 

This first approximation already provides the evidence for meeting the ISO 26262 standard’s 
requirements for ASIL D; the TOP event’s failure frequency in (7.51) stays well below the 
threshold of 1 • 10 “® 

Remark: With conventional FTA the PAND gate would have to be replaced by normal AND 
gates. This would affect the failure frequencies of minimal cutsets of rank two the most. These 
minimal cutsets would be the same as the MCSS of rank two, only using AND operators instead 
of the PANDs. Accordingly, in an Boolean FTA the TOP event’s failure frequency would nearly 
double compared to the TFTA’s result, yielding > 1 • 10“® ^ and, thus, exceeding the threshold 
limit. 


7.5 Discussion 

The analysis of this real world example system in chapter 7.1 demonstrates that the TFTA 
method is not limited to modelling only very small examples. Chapter 7 thereby extends the 
theoretical discussions on the TFTA approach in chapters 4 and 5, as well as the statements on 
basic application of the TFTA in chapter 6 . 

The analogy to the conventional FTA is shown during the creation of the temporal fault 
tree in figures 7.2 to 7.4. In this process no additional effort is necessary in comparison to the 
Boolean FTA apart from choosing temporal fault tree gates. 
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In this temporal fault tree there are several meshings of basic events as well as of whole sub 
trees. For instance, events beneath “pC signal failure” are found beneath a temporal gate (“L 
commanded failure”). The same events are also found in the purely Boolean part of the fault 
tree below of “commanded failure T3”. Additionally, the basic event “10 - pC generic failure 
activates SAF” is found in different and otherwise separated subtrees beneath different PAND 
gates. 

Using such meshing in e.g. an DFT approach would dramatically increase the effort; the 
necessary separation into different dynamic and non-dynamic modules would require that almost 
the whole fault tree had to be modelled as a dynamic module, i.e. in case of the DFT it had to 
be modelled using markov methods. 

The detailed qualitative analysis of the temporal fault tree in chapter 7.3 demonstrates that 
the TFTA is able to solve these meshings by use of its temporal transformation laws. 

On the one hand it is true that the calculatory effort for these transformations increases 
rapidly, specifically because of the temporal distributive laws. On the other hand, the required 
calculations are mostly limited to string-manipulations. As a general rule, these are less costly 
than solving exponentially growing markov models or simulating big petri nets, as necessary for 
the other methods. 

The analysis of the MOSS in chapter 7.3.3 is, then, very similar to the Boolean FTA. Among 
others, it is demonstrated that the TFTA is well suited for real qualitative analysis. As described 
in chapter 6, this is one of the main advantages of the TFTA. 

The probabilistic quantification, as demonstrated in chapter 7.4, is based on a step-by-step 
approach, as is best praxis. This allows adjusting modelling precision to the issue at hand - 
which implies adjustable effort -, as well as concentrating all ressources on the most important 
contributors. Both is not possible to the same extend when using the DFT. 




8 Summary and Outlook 


I want electricity to become so cheap 
that only the rich can afford candles. 

(Thomas Alva Edison) 


The new approach to temporal fault tree analysis presented in this thesis is called TFTA; it 
extends the Boolean FTA in order to include event sequences. In comparison to the conventional 
FTA this allows a more realistic model of the failure behaviour of complex and dynamic systems. 

The new TFTA uses a new temporal logic described in this thesis. With this logic it differs 
significantly from most existing approaches with similar aims. These transform the FTA model 
completely or partially into a state based model; temporal effects are then handled in the state 
space, and the results are then transfered back into the fault tree. TFTA contrasts with such 
state based methods in that 

• it uses an extension to Boolean algebra and logic, 

• its notation, terms, and its workflow and work products are taken from the conventional 
FTA, 

• it allows qualitative as well as probabilistic analyses and calculations including event 
sequence information. 

In comparison to other known approaches that also use a “temporal logic” to include temporal 
information into the fault tree the TFTA is significantly leaner. 

Specifically, TFTA is not another attempt to create a formal FTA logic for modelling of 
software systems. Instead, TFTA emphasises practise-oriented characteristics like intuitive ap¬ 
plicability, readability, comprehensible logic expressions and results, transferability of real world 
failure effects into the model, and scalability. 

The temporal logic of the TFTA uses the Boolean operations of conjunction, disjunction, and 
negation. Additionally, two new temporal operations (PAND and SAND) represent two “special 
conjunctions” that describe event sequences and simultaneous events, respectively. 

Using the well known Boolean algebra and a set of new temporal transformation laws, it is 
possible to transform complex temporal expressions into their temporal disjunctive normal form 
(TDNF) which consists of separate event sequences. In analogy to the Boolean fault tree cutsets 
these event sequences are reduced to a minimal form, the so-called minimal cutset sequences 
(MOSS). 

Then, MCSS are made mutually exclusive (i.e. disjoint). This disjoint form is especially well 
suited for direct quantification and makes probabilistic analysis possible. 
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8 Summary and Outlook 


Other than conventional FTA, probabilistic TFTA allows to calculate reliability characteris¬ 
tics like failure probability, failure frequency, and failure rate of a fault tree TOP event with 
consideration of event sequence information, and without the need to change into the state 
space. 


Evaluation of this Thesis 

Originally, the development of an own temporal logic aimed primarily at solving some of the 
problems that arise with the known dynamic extensions of the FTA which are based on markov 
methods. The DFT method [37] is a well known representative of such dynamic extensions, and 
thus it is an obvious choice to compare what this thesis achieved with the DFT method. 

With regard to the calculatory effort, the consideration of event sequences always implies 
additional cost when compared to the Boolean FTA. This is true for state based extensions, as 
well as for extended logics covering temporal effects. This additional cost is a concern, even more 
so, as the determination of disjoint minimal cutsets in Boolean FTA already carries exponentially 
growing complexity. On the other hand, the TFTA method does not aim at solving this. 

Some of the TFTA’s problems are fundamentally connected to the kind of temporal logic 
that is used. Event sequence statements only cover the points in time at which events occur. 
Therefore, “time-limited” failure events, i.e. events with a defined time span of being True, 
can not be represented by PAND and SAND. Instead, such effects need to be represented by 
conventional AND gates. This, however, is no deterioration in comparison to the DFT method. 
The markov chains that the DFT uses are also only able of capturing state transitions resulting 
from “initiating” failure events; it is not able to capture “time-limited” failure events. The 
DFT only hides this shortcoming better, because of the necessary modularization and because 
meshing is impossible. 

One major shortcoming of the DFT is modularization. In some cases, it makes it impossible 
to mesh events beyond single dynamic fault tree gates logically correctly. Compared to that, 
TFTA allows for such meshing. It, thus, is possible to consider more event sequence effects. 

Another major shortcoming of the DFT concerns qualitative evaluation of minimal cutsets. 
The transformation into the state space either forces the use of “meta events” in addition to 
basic events; these meta event represent complete markov models. As an alternative, qualita¬ 
tive analysis is restricted to not include event sequence information. Compared to that, the 
(extended) event sequences in TFTA show exact event sequence information of all basic events 
that contribute to the TOP failure. As such, the TFTA permits more meaningful and efficient 
qualitative analyses than the DFT. 

Both, the TFTA as well as the DFT allow for probabilistic evaluation of the TOP event’s 
failure rate and failure probability. On the one hand, with this quantification it is possible to 
determine the precise TOP event’s failure characteristics at comparably high calculatory costs. 
On the other hand, an approximation for the TFTA is provided, which reduces the necessary 
effort significantly. 

Three more arguments support the TFTA with regard to calculatory costs: first, the size of 
the differential equations system, necessary for solving the DFT, grows exponentially with the 
number of component failures that are within a dynamic module. Therefore, the overhead of 
TFTA (compared to Boolean FTA) is at least comparable with the DFT’s overhead - and the 
TFTA provides more meaningful results, as discussed above. Second, calculations in the TFTA 
are mainly string-manipulations. These usually require less effort than solving exponentially 
growing state models. Third, the TFTA offers approximation methods, which provide a real 



107 


possibility to reduce overhead effectively, while accepting a certain degree of impreciseness; this 
may be used e.g. as a first step within a multi-step analysis. 

Therefore, the TFTA is a capable replacement for the DFT’s PAND gates, and furthermore 
provides some advantages methodology-wise, as well as for its useability. 

Possible Further Research 

During this theses several additional topics were discovered that could not be completely cov¬ 
ered and solved within this work. For instance, SAND connections are defined as (structural) 
dependencies between failure events, and they are considered qualitatively, but they are not 
taken into account probabilistically. Because of the significance of dependent failures, which 
are sometime just called common cause failures (CCF), it seems promising to extend the TFTA 
method, as described in this thesis, by such dependencies. Furthermore, this thesis restricts 
itself to non-repairable failures. It seems possible that the TFTA’s temporal logic, as well as 
the probabilistic aspects of the TFTA, may be extended to repairable failures. It could also be 
interesting to develop advanced methods to determine mutually exclusive (disjoint) expressions 
from a given TDNF. One possible way could be to follow segmentation-methods, like Abraham 
[80] or Heidtmann [81] proposed for Boolean algebra. Furthermore, it seems promising to inves¬ 
tigate possible synergies between the TFTA logic and the BDD method in [86]. In general, there 
certainly is a demand for improved algorithms for using the TFTA in practise. In this regard, 
contributing to open source fault tree tools (like e.g. OpenFTA [87]) could be an interesting 
possibility. 
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A Further Explanations on Selected Topics 

A.l Reliability Characteristics 

The probabilistic description of the failure behaviour of systems is done using characteristics, 
see table A.l. These are stochastic or probabilistic values, as the deterministic failure behaviour 
of an individual component or an individual system is usually not known in advance. Taking 
the probability distributions into account that result from such values is difficult in many real 
applications, in particular because of the effort necessary to assemble knowlegde on the kind of 
distribution. In many cases constant or mean values are thus used instead of distributed values. 

This thesis uses the terms failure probability, failure frequency and failure rate, even if it 
originates in a safety backgound, as 

• the essential statements apply to the field of general reliability analogously and 

• the use of such terms, that originally come from general reliability, is very common in the 
context of safety; see e.g. the relevant safety standards ISO 26262 [3] and lEC 61508 [4]. 
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Table A.l: Characteristics of reliability and safety analysis according to [14] 
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A Further Explanations on Selected Topics 


A.2 Creating and Using Sequential Failure Trees in the TFTA 

Sequential failure trees allow visualization of temporal-logical expressions, as well as manual 
verification of transformations according to the laws of TFTA’s temporal logic. Creating a 
sequential failure tree corresponding to a complex temporal expression requires some effort, but 
it is based on only a few basic steps. 

Choosing the Right Failure Tree 

The number of basic events within a temporal expression determines what kind of sequential 
failure tree needs to be chosen. The failure tree must at least support the number of basic events, 
but it may be bigger, too. Depending on the particular application, the simplified sequential 
failure tree without SAND may be sufficient. 

An example: the following figure shows two sequential failure trees, that are both suited for 
the expression zu = A A B and are not yet filled in. 



Transforming the Temporal Expression 

If the temporal expression is too complex, then, in a first step, simple sub-expressions need to 
be identified, and for these sequential fault trees are then created. As an extreme example, the 
basic events of the temporal expression are chosen. The following steps are then repeated for 
all these sub-expressions. 

For instance, the two sub-expressions A and B are chosen for the expression w = AAB. 

Minimal Failure Nodes 

Starting with the top-node all branches of the sequential failure tree are walked along, until in 
each branch the currently chosen sub-expression has occurred (or the branch has ended), and 
the minimal failure nodes are tagged. 

An example is presented in the next step. 

Non-Minimal Failure Nodes 

All nodes beneath a minimal failure node are tagged as successor nodes. 

An example: the following figures show the minimal (on the left side) as well as minimal and 
successor failure nodes (right side) corresponding to the temporal expression w = A. 
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Negated Events 

Starting with the sequential failure tree corresponding to an event, all original non-failure nodes 
are marked as new minimal failure nodes; and all original failure nodes (minimal as well as 
successor) are marked as non-failure nodes. No new non-minimal failure nodes are added. 

The following figure shows the sequential failure tree for the example of -■ A. 



Conjunction/AND Relationship 

The sequential failure tree of the conjunction of two temporal expressions is the “intersection” 
of the individual expressions’ sequential failure trees. Minimal failure nodes thereby absorb 
non-minimal failure nodes. In a next step, non-minimal failure nodes are added as necessary; 
this is especially necessary in case of negated events. 

An example is presented in the next step. 

Disjunction/OR Relationship 

The sequential failure tree of the disjunction of two temporal expressions is the “union" of 
the individual expressions’ sequential failure trees. Non-minimal failure nodes thereby absorb 
minimal failure nodes. In a next step, non-minimal failure nodes are added as necessary; this 
is especially necessary in case of negated events. 

An example: the following figure shows (from left to right) two simplified sequential failure 
trees, as well as their “intersection” and “union", respectively. 



PAND Relationship 

The sequential failure tree of the PAND connection of two temporal expressions, i.e. w\ f\W 2 -, 
is generated as follows: All those nodes are marked as minimal failure nodes that are minimal 
failure nodes of W 2 together with being non-minimal failure nodes of wi. In a next step, non- 
minimal failure nodes are added as necessary. 

An example: the following figure shows (from left to right) two simplified sequential failure 
trees and their PAND connection. 
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SAND Relationship 

The sequential failure tree of the SAND connection of two temporal expressions, i.e. zui AtZ72, 
is generated as follows: All those nodes are marked as minimal failure nodes that are minimal 
failure nodes of tu 2 together with being minimal failure nodes of w\. In a next step, non-minimal 
failure nodes are added as necessary. 

An example: the following figure shows (from left to right) two simplified sequential failure 
trees and their SAND connection. 





A.3 Examples: Mutually Exclusive (Disjoint) Temporal 
Expressions 

The following assumes n = 3 and failure events A, B, and C. 

First Example 

The failure function w = B \s already given as a TDNF with only one sub-expression; it is not 
a minterm, though, as not all possible failure events are included in this expression. Using the 
method provided on page 52 yields a TDNF of mutually exclusive (disjoint) and minimal event 
sequences, that are temporal minterms, too: 

B = 5A(^AvA) A(^CVC) = 

= [AABAC]v[^CA{AAB)]v[^AAiBAC)]v[{^A^C)AB] . 

For better readability, the four resulting sub-expressions are inspected separately. 

r/i = AAB AC . 

Using the law of completion twice yields 

7]i = [{AaB)AC]v [{AaB)AC]v [CAiAAB)] = 

= [{AABV AABV BAA)AC]y [{AABV AABV BAA)AC]y 
y [CA{AABy AABV B A A)] . 
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As the expressions in round brackets are mutually exclusive (disjoint), 

rji = [aabac]v[{aKb)Ac]v[bAaAc]v[{aab)Kc]v [(A A 5) A C] V 

V [{baa)ac] V [cAiAAB)] V [cA{aab)] v [cA{bAa)] . 

Applying the transformation laws of the temporal logic then yields 

rji = [aAbAc]v [(aab)Ac]v [bAaAc]v [aA{bac)]v [aabKc]v 

V [bA{aac)]v [aAcAb]v [{aac)Ab]v [cAaAb]v 

V [bAcAa]v [{bKc)Aa]v [cAbAa]v [cA{aab)] . 

With this the transformation of the first sub-expression is completed. 

Now, applying the law of completion on the second sub-expression, i.e. 

r/2 = ^CA{AAB) 

yields already disjoint expressions, thus 

rj2 = a{{AABV {AAB)V (BAA)) = 

= [-CA(AXB)] V [^CAiAAB)] V A (5 A A)] . 

The third sub-expression is transformed analogously, thus 

PS = ^AAiBAC) = [^aa{bAc)]v [^AA{BAC)]v [^AA{CAB)] . 

The fourth sub-expression consists of one event sequence, that cannot be further simplified: 

r/4 = {^A^C)AB . 

Combining these results, the three-variables minterm form of expression zu = B is given as 
(meaning of underlines, see below): 


zu = 


B = r/i V r/2 V % V 7?4 = 

= [A A B A C] V [(A A .B) A C] V [.B A A A C] V [A A (.B A C)] V [A A B A C] V 
V [B A (A A C)] V [A X C X B] V [(A A C) X B] V [C X A X B] V [B A C X A] V 


V 


(B A C) X A] V [C X B X A] V C A (A X B)] V C A (A A B)] V 

V ' ^ca(bXa)1 V (^aa(bXc)I V [-aa(bac)] v [^aa(cXb)] v 

V [CX(AAB)] V [(-A^C) AB] . 


In this form zu is not yet minimal. As shown in figure A.l, only eleven of the 20 nodes, in which 
B = True, are really minimal. The minterms corresponding to these non-minimal nodes are 
underlined in the figure above. Applying the temporal laws of absorption provides the following 
minimal form, where 


uj = B = r/i V r/2 V ?73 V ??4 = 

= [A X (B A C)] V [A A B A C] V [A X C X B] V [(A A C) X B] V [C X A X B] V 

V [-ca(aXb)] V [^ca(aab)] V [-a a (BA c)] V 

V [-Aa(CXB)] V [CX(AAB)] V [(-A^C) AB] . 
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A Further Explanations on Selected Topics 


Specifically, the structurally and temporally non-minimal temporal expressions (see chapter 
4.3.2) demonstrate that 


{^A^C)AB 
A A {B A C) 
“1 C* A {B A A) 
“1 C* A {A A B) 
A A (C A B) 
“1 C* A {A A B) 
A A {B A C) 


covers [i? A (yl A C)] , [-■ A A (S X C)] , [-■ C A (B X A)] , 

covers BACAA , 

covers B7\AAC , 

covers AABaC , 

covers CABAA , 

covers {AaB)AC , 

covers {BAC)AA . 



Figure A.l: Sequential failure tree corresponding to w = B with eleven minimal failure nodes 
and nine non-minimal failure nodes. Nine failure nodes also include at least one 
SAND connection. 

Second Example 

The failure function w = {AV B)AC is not presented in a TDNF. First, the transformation 
laws of temporal logic are used in order to create a TDNF: 

tz7 = {A\JB)AC = (AXC)V(BXC) . 

Both sub-expressions on the right side do not include all three relevant variables. Each sub¬ 
expression is therefore transformed according to (4.122) as to include the missing variables. 

ro= [^BA{AAC)]v[BAiAAC)]v[^AA{BAC)]v[AA{BAC)] = 

= [-^B a{aAc)]v [bAaAc]v [aAbAc]v [{aab)Ac]v 

V [aA{bac)]v [aAcAb]v [-^aa{bAc)]v [aAbAc]v 

V [bAaAc]v [{aab)Ac]v [bA{aac)]v [bAcAa] . 

The expressions AAbAC and BAAAC and {AaB)AC are listed twice each. Moreover, 
A A {B Ac) and B A (AAC) cover the non-minimal expressions BAcAA und AAcAB. 
Thus, the minterm-form of the failure function is given as 

ro = [-^B a{aAc)]v [bAaAc]v [aAbAc]v [{aab)Ac]v 

V [AAiBAC)] V [^aa(.bXc')] V [bA{aac)] . 

Figure A.2 shows the sequential failure tree of this second example, including its seven minimal 
and two non-minimal failure nodes. 



A.3 Examples: Mutually Exclusive (Disjoint) Temporal Expressions 
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Figure A.2: Sequential failure tree corresponding to w = (AV B)7\C seven minimal and 
two non-minimal failure nodes. Three failure nodes include at least one SAND 
connection. 




B Abbreviations/Acronyms 


BDD 

binary decision diagram 

FTA 

fault tree analysis 

BDMP 

Boolean logic driven markov 

HRA 

human reliability analysis 


processes 

MoCaS 

monte-carlo-simulation 

CCF 

common cause failure 



DFT 

dynamic fault tree 

MCSS 

minimal cutset sequences 

DGL 

differential equation 

PAND 

priority AND 

DNF 

disjunctive normal form 

POR 

priority OR 

DRBD 

dynamic reliability block diagram 

RBD 

reliability block diagram 

E/E 

electric / electronic 

SAND 

simultaneous AND 

FAA 

federal aviation administration 

TDNF 

temporal disjunctive normal form 

FMEA 

failure modes and effects analysis 

TFTA 

temporal fault tree analysis 

FT 

fault tree 

ZSA 

reliability and safety analyses 
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C Notation 


Symbol Meaning 


■it) 

•2 

o{At) 

A 

V 

—I 

A 

A 

c;c 

_L 

G 

G 

3 

A,B,C,D 

ae 

ce 

E 

eK 

ece 

ES 

es 

eES 

ees 

etdnf 

V 

f 

F 

i 

j 

k 

k 

K 

K 

K' 

K" 


time dependend parameter . 
parameter . for element i 
fnnction with limAt-s>o ~ 

Boolean AND 
Boolean OR 
Boolean NOT 
temporal PAND 
temporal SAND 
proper subset; subset 

are disjoint (for events, e.g. AAB T BaA) 
is element of (for sets, e.g. 1 G {1, 2,..., n}) 
is part of (for events, e.g. A^ AaB) 
there is 
is minimal 

failure events (within examples), see X 

token for atomic events 

token for core events 

expectancy value 

extended core event 

token for extended core events 

event sequence 

token for event sequences 

extended event sequence 

token for extended event sequences 

token for extended temporal expressions in TDNF 

temporal (sub)expression (in chapter 7 and appendix A) 

failure density (density function of the failure probability) 

failure probability/unavailability 

index 

index 

index 

position of an extended core event within an extended MCSS 
core event 

system-state-vector/-node (sequential failure tree) 
predecessor node (sequential failure tree) 
successor node (sequential failure tree) 


continued on next page 
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C Notation 


continued 

Symbol 

I 

X 

^i,j 

max(.) 

MS 

MCSS 

n 

nae 

nee 

nes 

nees 

0{x} 

P 

P 

‘f 

w 

r 

r 

R 

S 

t 

tx 

T 

Tm 

T 

rl*} 

At 

tdnf 

u 

U 

w 

X 

T 

c 


Meaning 

index 

failure rate 

transition rate between states i and j 

maximum 

minimal cutset 

minimal cutset sequence 

index 

token for negated atomic events 

token for negated core events 

token for event sequences with negated events 

token for extended event sequences with negated events 

order of complexity x 

state probability 

derivative of the state probability 
Boolean failure function 
temporal failure function 
system state (sequential failure tree) 

number of AND-connected basic events within an extended core event 
reliability 

cutset (as in minimal cutset) 
time 

time of occurence of event X (at this time the failure represented by X occurs) 
life expectancy 
mission time 

time (parameter in integrations) 

i-th parameter in integrations in multiple integrals 

(infinitesimally) small time span 

token for temporal expressions in TDNF 

index 

unavailability 

number of extended core events within an extended MCSS 
Boolean event (failure logic: X = 1 —)■ failed, X = 0 —)■ not failed) 
number of MCSS covered by an extended MCSS 
number of cutsets 
number of minimal cutsets 


(END OF DOCUMENT) 



